cbcvebase.
CVE-2026-1357
published 2026-02-11

CVE-2026-1357: The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
32.71%
98.1th percentile
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com
ip38.242.204.245
ip38.242.237.196
ip38.242.245.147
ip83.171.249.231
ip161.97.129.25
ip161.97.135.154
ip161.97.163.87
ip161.97.186.175
ip161.97.187.42
ip193.187.129.143
ip213.136.80.73
domainlastpass-login-help.com
urlhttps://cdn.cloudfront-js.com:8443/u
path/var/lib/.spm/
path/var/tmp/apt-daily-upgrade
filenamemonitor.py
filenameutils.py
filename_lat.py
filename_cu.py
filename_cr.py
filename_csc.py
filenamecheck.sh
filenameupdate.bin
filenameupdate-386.bin
filenameupdate-arm.bin
filenameharvest.jsonl
other_RPK = "6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo="
url/wp-content/uploads/vt-nuclei-test.txt
path/wp-content/plugins/wpvivid-backuprestore
port27017
port8443
  • Detect CVE-2026-1357 exploitation attempts by monitoring POST requests containing the 'wpvivid_action=send_to_site' parameter, which is the attack vector for unauthenticated arbitrary file upload.
  • The Nuclei PoC template uses a specific encoded payload in the 'wpvivid_content' POST body parameter; monitor for large base64-encoded POST bodies to the WordPress root endpoint with wpvivid_action=send_to_site.
  • Monitor for unexpected PHP files appearing in wp-content/uploads/ or other publicly accessible WordPress directories, which would indicate successful directory traversal exploitation of CVE-2026-1357.
  • PCPJack drops files under /var/lib/.spm/ and installs a systemd service named sys-monitor.service; hunt for these paths and service names as persistence indicators post-exploitation.
  • PCPJack exfiltrates credentials to Telegram; each chunk is prepended with a 🔒 emoji after base64 encoding. Monitor outbound traffic to Telegram API endpoints for this pattern.
  • The PCPJack crypto_util module uses a hardcoded X25519 recipient public key '_RPK = "6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo="'; presence of this string in memory or on disk is a strong indicator of compromise.
  • Use the FOFA/Shodan queries from the Nuclei template to identify exposed WordPress instances running the vulnerable wpvivid-backuprestore plugin as potential targets.
  • PCPJack self-deletes bootstrap.sh after execution (rm -f "$0"); forensic investigation should focus on residual artifacts in /var/lib/.spm/ and the installed Python virtual environment rather than the initial script.
  • ·Exploitation requires a valid session key within its 24-hour validity window, limiting the realistic exploitation window even when the feature is enabled.
  • ·The null-byte AES key attack works because phpseclib treats a boolean false (returned by failed openssl_private_decrypt) as a string of null bytes; this is a library behavior quirk that may differ across phpseclib versions.
  • ·PCPJack's crypto_util module silently falls back to sending credentials in plaintext if the cryptography Python library is not installed, meaning some exfiltration may be unencrypted and easier to detect in transit.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.