Null Byte Nightmare: Critical WPvivid Backup Flaw (CVSS 9.8) Exposes 800K WordPress Sites

A critical security vulnerability has been discovered in WPvivid Backup, a popular WordPress plugin used by over 800,000 websites to safeguard their data. The flaw, tracked as CVE-2026-1357, carries a maximum CVSS score of 9.8, allowing unauthenticated attackers to upload malicious files and take complete control of a site.

The vulnerability was discovered by researcher Lucas Montes (NiRoX), who was awarded a $2,145.00 bounty for identifying the issue just five days after it was introduced into the code.

The vulnerability lies in the plugin’s remote transfer feature, specifically the send_to_site() function, which handles incoming backup files from other websites. Typically, this process is secured by a generated key that decrypts the incoming data. However, a flaw in how the plugin handles encryption keys created a massive loophole.

The report reveals that the system fails to properly validate the decryption key, defaulting to a weak state that attackers can exploit.

“This means that the default null byte key is used with an incorrect key, allowing the attacker to craft encrypted data with the null byte key,” the report explains.

Once the encryption check is bypassed, the plugin fails to perform another critical step: validating what kind of file is being uploaded. “The file upload function does not contain any file type or extension checks,” allowing attackers to upload PHP scripts instead of backup files.

The combination of broken cryptography and unrestricted file uploads is a recipe for disaster. By uploading a malicious “web shell,” an attacker can execute arbitrary commands on the server, modify files, and steal sensitive database information.

“This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence warns.

While the severity score is critical, there is a silver lining for the majority of users. The vulnerability relies on a specific feature being active: the site-to-site transfer tool.

“We would like to draw attention once again to the fact that the vulnerability only critically affects users who have a generated key in the plugin setting, which is disabled by default,” the advisory notes.

However, for those who do have this feature enabled (often used during migrations or staging updates), the risk is immediate. Wordfence reported that its firewall “blocked 31 attacks targeting this vulnerability in the past 24 hours,” indicating that threat actors are already probing for the flaw.

The developers have addressed the issue in the latest release. All users of WPvivid Backup are urged to update to version 0.9.124 immediately to close the security gap.

Related Posts:

• With null characters, Malicious code bypassed security checking in Windows 10
• Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild
• CISA Warns of Active Exploitation of Wing FTP Server Flaw (CVE-2025-47812), CVSS 10