{"id":231236,"date":"2026-02-13T01:16:42","date_gmt":"2026-02-13T07:16:42","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/02\/wordpress-plugin-with-900k-installs-vulnerable-to-critical-rce-flaw"},"modified":"2026-02-13T01:16:42","modified_gmt":"2026-02-13T07:16:42","slug":"wordpress-plugin-with-900k-installs-vulnerable-to-critical-rce-flaw","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/02\/wordpress-plugin-with-900k-installs-vulnerable-to-critical-rce-flaw","title":{"rendered":"WordPress plugin with 900k installs vulnerable to critical RCE flaw"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/wordpress-plugin-with-900k-installs-vulnerable-to-critical-rce-flaw.jpg\"><\/a><\/p>\n<p>A critical vulnerability in the WPvivid Backup &amp; Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication.<\/p>\n<p>The security issue is tracked as CVE-2026\u20131357 and received a severity score of 9.8. It impacts all versions of the plugin up to 0.9.123 and could lead to a complete website takeover.<\/p>\n<p>Despite the severity of the issue, researchers at WordPress security company Defiant say that only sites with the non-default \u201creceive backup from another site\u201d option enabled are critically impacted.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability in the WPvivid Backup &amp; Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication. The security issue is tracked as CVE-2026\u20131357 and received a severity score of 9.8. It impacts all versions of the plugin up to [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-231236","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/231236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=231236"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/231236\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=231236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=231236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=231236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}