An unauthenticated remote code execution vulnerability in the WPvivid WordPress plugin allows attackers to completely take over websites by uploading malicious PHP files.

The plugin fails to handle RSA decryption errors correctly, defaulting to a predictable null-byte AES key. Combined with a lack of path sanitization, an unauthenticated attacker can use the wpvivid_action=send_to_site parameter to upload arbitrary files to any directory, escaping the backup folder.

This vulnerability carries a CVSS score of 9.8, indicating a critical threat. A successful exploit allows for total site compromise, data exfiltration, and the installation of persistent backdoors. For businesses relying on WordPress, this could result in complete loss of customer trust and significant downtime.

Immediate Action: Update the WPvivid Backup & Migration plugin to the latest version (above 0.9.123) immediately.

Proactive Monitoring: Scan the WordPress wp-content and public directories for unexpected PHP files and review web server logs for requests containing the wpvivid_action parameter.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules specifically designed to block directory traversal sequences and unauthorized file upload attempts.

Public Exploit Available: false

The combination of predictable encryption and directory traversal makes this vulnerability extremely dangerous. Administrators must update the plugin immediately. If an update cannot be performed, the plugin should be deactivated and removed until a patch is applied to prevent unauthenticated remote takeover.