WordPress plugin with 900k installs vulnerable to critical RCE flaw: CVE-2026-1357 (CVSS 9.8) and BeyondTrust CVE-2026-1731
Estimated reading time: 7 minutes
Key Takeaways:
- CVE-2026-1357: A critical 9.8 CVSS vulnerability in WPvivid Backup & Migration allows unauthenticated attackers to execute remote code.
- CVE-2026-1731: BeyondTrust solutions are facing rapid reconnaissance from sophisticated actors using JA4+ fingerprinting and VPN obfuscation.
- Remediation: WPvivid users must update to version 0.9.124 immediately; BeyondTrust self-hosted users must patch to RS 25.3.2 or PRA 25.1.1.
- Actor Intelligence: Threat groups are leveraging predictable cryptographic failures and non-standard port probing to bypass traditional defenses.
Table of Contents
- WordPress plugin with 900k installs vulnerable to critical RCE flaw
- Technical Analysis of CVE-2026-1357
- Exploitation Context and Threat Intelligence
- BeyondTrust Reconnaissance: CVE-2026-1731
- Observation and Scanning Patterns
- Multi-Exploit Actor Profiles
- Supply-Chain Implications and Vulnerability Management
- Technical Remediation for WPvivid (CVE-2026-1357)
- Technical Remediation for BeyondTrust (CVE-2026-1731)
- PurpleOps Expertise in Threat Mitigation
- Actionable Takeaways for Stakeholders
- Frequently Asked Questions
On February 12, 2026, security researchers identified a critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress installations. This flaw, indexed as CVE-2026-1357 with a CVSS score of 9.8, allows for unauthenticated remote code execution (RCE) through arbitrary file uploads. Simultaneously, threat actors have initiated rapid reconnaissance against a separate critical vulnerability, CVE-2026-1731, affecting BeyondTrust remote access solutions. These concurrent threats indicate a heightened period of risk for enterprise infrastructure and web-facing assets.
WordPress plugin with 900k installs vulnerable to critical RCE flaw
The vulnerability in WPvivid Backup & Migration (CVE-2026-1357) stems from a combination of cryptographic implementation errors and insufficient input sanitization. While the plugin is a primary tool for site migrations and backups, the flaw resides in the “receive backup from another site” feature. Although this feature is not enabled by default, it is frequently activated during migration workflows or when establishing automated offsite backup routines.
Technical Analysis of CVE-2026-1357
The root cause of CVE-2026-1357 involves improper error handling during RSA decryption. Specifically, the plugin utilizes the openssl_private_decrypt() function to process incoming data. In a secure implementation, a failure in this function should trigger an immediate termination of the process. However, in WPvivid versions up to 0.9.123, a failure returns a boolean false value, which the plugin continues to process.
This false result is subsequently passed to a Rijndael (AES) encryption routine. The cryptographic library interprets the boolean false as a string of null bytes. This behavior creates a predictable, static encryption key. An attacker aware of this logic can craft a malicious payload encrypted with this predictable key, which the plugin will then successfully decrypt and process.
Furthermore, the plugin fails to sanitize filenames for uploaded objects. By combining the cryptographic bypass with directory traversal techniques, an attacker can write files outside the designated backup directory. This allows for the placement of malicious PHP scripts into the web root or other executable directories, leading to full remote code execution and total site takeover.
A mitigating factor is the 24-hour validity window for the generated keys required to send backup files. However, this window is sufficient for targeted attacks, especially since the plugin is often used by administrators during high-activity periods like host migrations.
Exploitation Context and Threat Intelligence
The discovery of CVE-2026-1357 coincides with a broader trend of attackers targeting WordPress plugin ecosystems to establish initial access. Utilizing a cyber threat intelligence platform allows organizations to track how these vulnerabilities are discussed in the wild. Our dark web monitoring service and telegram threat monitoring have shown that unauthenticated RCE exploits for high-install plugins are frequently traded or shared among initial access brokers.
When a vulnerability like CVE-2026-1357 reaches a CVSS 9.8, it becomes a priority for automated scanning. Attackers use live ransomware API feeds and real-time ransomware intelligence to identify vulnerable targets before patches are applied. For organizations managing multiple WordPress instances, breach detection protocols must now include audits of the WPvivid configuration settings.
BeyondTrust Reconnaissance: CVE-2026-1731
While WordPress sites face the WPvivid flaw, enterprise environments are simultaneously targeted by reconnaissance for CVE-2026-1731. This vulnerability affects BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). It is a variant of CVE-2024-12356, a vulnerability class previously utilized by the Chinese state-sponsored group Silk Typhoon (formerly Storm-0062) to breach the U.S. Treasury Department.
Observation and Scanning Patterns
Analysis from global sensor networks indicates that reconnaissance for CVE-2026-1731 began within 24 hours of the vulnerability’s disclosure on February 11, 2026. Data shows several critical patterns:
- Scanner Dominance: A single IP address has been responsible for approximately 86% of the observed reconnaissance sessions. This IP is associated with a commercial VPN provider based in Frankfurt, Germany.
- Port Probing Strategy: While BeyondTrust typically operates on port 443 (HTTPS), attackers are systematically probing non-standard port clusters to bypass obfuscation tactics.
- JA4+ Fingerprinting: Technical analysis shows 100% of the sessions utilize Linux stack characteristics with a Maximum Segment Size (MSS) of 1358, confirming VPN tunnel encapsulation.
- Tooling Identifiers: Two distinct exploit tools have been identified via HTTP header analysis. Neither matches known legitimate application signatures in JA4 databases.
Multi-Exploit Actor Profiles
The actors targeting BeyondTrust are not limited to a single exploit. Their profiles indicate they are simultaneously performing brute-forcing and exploitation attempts against SonicWall, MOVEit Transfer, Log4j, and Sophos firewalls. This multi-vector approach underscores the need for comprehensive supply-chain risk monitoring and underground forum intelligence to understand the scope of active campaigns.
The use of out-of-band callback domains (OAST) by these actors further demonstrates a level of sophistication. OAST techniques allow attackers to confirm a vulnerability exists without receiving a direct response from the target server, bypassing some traditional firewall and IDS signatures.
Supply-Chain Implications and Vulnerability Management
Both CVE-2026-1357 and CVE-2026-1731 represent significant risks to the digital supply chain. WordPress plugins like WPvivid are often integrated into automated deployment pipelines, meaning a vulnerability can propagate across hundreds of client sites. Similarly, BeyondTrust is a critical component for managing privileged access; a compromise here provides the “keys to the kingdom.”
To manage these risks, organizations must move beyond simple patching. Effective security requires brand leak alerting to monitor for compromised credentials and cyber threat intelligence to stay ahead of rapid exploit development.
Technical Remediation for WPvivid (CVE-2026-1357)
Engineers should execute the following steps to mitigate the risk from CVE-2026-1357:
- Update Immediately: Upgrade the WPvivid Backup & Migration plugin to version 0.9.124 or higher.
- Configuration Audit: Ensure the “Receive backup from another site” option is disabled unless actively required.
- File System Inspection: Scan the
wp-content/uploads/wpvividbackupsdirectory and site root for unexpected.phpfiles. - Log Analysis: Review web server access logs for POST requests to plugin upload endpoints from unknown IP addresses.
Technical Remediation for BeyondTrust (CVE-2026-1731)
For BeyondTrust deployments, the following actions are required:
- Cloud Customers: Verify that your instance has been automatically patched (completed by the vendor on February 2, 2026).
- Self-Hosted Customers: Manually update to RS version 25.3.2+ or PRA version 25.1.1+.
- Network Segmentation: Restrict BeyondTrust administrative interfaces from direct internet exposure using IP allowlisting or VPNs.
- Fingerprint Monitoring: Monitor for JA4+ fingerprints and MSS values (e.g., MSS 1358) identified in recent threat research.
PurpleOps Expertise in Threat Mitigation
PurpleOps provides the technical infrastructure and expertise required to navigate these critical vulnerabilities. Our approach combines automated monitoring with manual analysis to ensure that unauthenticated RCE flaws do not become entry points for ransomware or data exfiltration.
Our cyber-threat-intelligence services provide granular data on emerging CVEs. Through our dark-web-monitoring capabilities, we identify when exploits for WordPress plugins or enterprise tools are being sold on underground markets.
For organizations concerned about the integrity of their web assets, PurpleOps offers specialized and red-team-operations. Furthermore, our focus on supply-chain-information-security ensures that third-party tools are properly scrutinized for vulnerabilities. We provide the real-time ransomware intelligence necessary to defend against automated scanning campaigns.
Actionable Takeaways for Stakeholders
For Technical Teams:
- Implement automated vulnerability scanning prioritizing CVSS 9.0+ flaws.
- Validate cryptographic operations for robust error handling.
- Utilize JA4+ fingerprinting within your SIEM to identify anomalous behavior.
For Business Leaders:
- Ensure IT teams have the mandate for emergency patching outside standard windows.
- Evaluate and reduce the attack surface by removing redundant third-party plugins.
- Recognize that modern reconnaissance tools render “security through obscurity” obsolete.
To learn more about how PurpleOps can secure your infrastructure, Explore our Platform or view PurpleOps Solutions.
Frequently Asked Questions
What makes CVE-2026-1357 so dangerous?
It allows for unauthenticated Remote Code Execution (RCE) because of a cryptographic error where a failed decryption results in a predictable null-byte key, enabling attackers to upload and execute malicious PHP scripts.
How can I detect if I am being scanned for the BeyondTrust vulnerability?
Look for connection attempts using an MSS of 1358 and JA4+ fingerprints that indicate Linux stack characteristics originating from VPN providers, specifically probing non-standard ports.
Is the WPvivid vulnerability active by default?
No, the specific feature (“receive backup from another site”) must be enabled, but it is a common configuration during migrations or for remote backup management.
Who is Silk Typhoon?
Silk Typhoon is a Chinese state-sponsored threat group known for targeting critical infrastructure and government agencies by exploiting high-impact vulnerabilities in remote access and edge solutions.