A critical security vulnerability (CVE-2026-1357) has been discovered in the WordPress plugin WPvivid Backup, which has over 800,000 active installations. Attackers could exploit this flaw to upload malicious files, potentially allowing them to take full control of affected sites.

Affected Systems:

• WordPress WPvivid Backup plugin: versions 0.9.123 and earlier

Security Risks

Successful exploitation of this vulnerability could allow attackers to upload malicious files through the WPvivid Backup plugin, potentially resulting in full site takeover, unauthorized access, data theft, malware installation, or defacement of affected sites.

For a complete list of other recently disclosed WordPress plugin vulnerabilities and available patches, please refer to a WordPress vulnerability database.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Upgrade, as soon as possible, to the latest supported version to maintain security and continue receiving technical support and patches.

The released software version for upgrade is:

• WordPress WPvivid Backup plugin: Upgrade to version 0.9.124 or above

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• 800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin

• https://www.wordfence.com/threat-intel/vulnerabilities/