Share
## https://sploitus.com/exploit?id=2D662F69-8C74-53BE-82DD-AA1BAE83AFDD
# PoC CVE-2026-1357: WPvivid Backup & Migration

> The Migration, Backup, Staging โ€“ WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

[https://nvd.nist.gov/vuln/detail/CVE-2026-1357](https://nvd.nist.gov/vuln/detail/CVE-2026-1357)

---

## Lab Setup

### Directory Structure
Organize your project folder as follows:
```text
.
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ exploit.py
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ vulnerable-plugin-folder/   # Staging area for the plugin
โ””โ”€โ”€ wp-content/                 # Persistent WP data (Created by Docker)
```

### Plugin Acquisition & Extraction

Since the vulnerability was patched in later versions, you must manually download and stage version **0.9.123**. Run these commands from your project root:

```bash
# Download the vulnerable version
wget https://downloads.wordpress.org/plugin/wpvivid-backuprestore.0.9.123.zip

# Create the staging directory
mkdir vulnerable-plugin-folder

# Extract and move files into place
unzip wpvivid-backuprestore.0.9.123.zip
mv wpvivid-backuprestore/* vulnerable-plugin-folder/
rm -rf wpvivid-backuprestore wpvivid-backuprestore.0.9.123.zip
```

1. **Start the environment:**
   ```bash
   docker-compose up -d
   ```
2. **WordPress Setup:** Navigate to `http://localhost:8080` and complete the installation.
3. **Activate & Configure:**
   * Login to the dashboard (`/wp-admin`).
   * Go to **Plugins** -> **Installed Plugins** -> **Activate** WPvivid Backup.
   * Go to the **WPvivid Backup** menu -> **Key** tab -> Click **Generate**.
   *(Note: This initializes the migration listener. Without a generated key, the plugin will return a 400 Bad Request error.)*

---

## Usage

### Install Dependencies

```bash
pip install -r requirements.txt
```

### Run the Exploit

Execute the script against your lab target:

```bash
python3 exploit.py localhost:8080 --command "id"
```

### Verification
If successful, the script will output the results of the command (e.g., `uid=33(www-data) gid=33(www-data)`). You can also verify the existence of the shell in your lab:

```bash
docker exec wpvivid-lab ls /var/www/html/wp-content/uploads/
```

---

## Disclaimer
This tool is for educational purposes and authorized security research only. Unauthorized access to computer systems is illegal.