WPVivid Vulnerability CVE-2026-1357 Fix Guide (tweakswp.com)

01-check-version.sh

# Check WPVivid version on a single site
wp plugin list --name=wpvivid-backuprestore --fields=name,version,status

# Check across all sites on a multisite network
wp site list --field=url | xargs -I {} wp plugin list --name=wpvivid-backuprestore --fields=name,version,status --url={}

02-check-compromise.sh

# Look for recently modified PHP files in uploads
find wp-content/uploads -name "*.php" -mtime -30 -ls

# Check for unknown files in the WPVivid directory
ls -la wp-content/plugins/wpvivid-backuprestore/

# Search for common webshell signatures
grep -rn "eval(base64_decode" wp-content/uploads/
grep -rn "system(\$_" wp-content/
grep -rn "exec(\$_GET" wp-content/

# Check access logs for the exploit endpoint
grep "wpvivid_action=send_to_site" /var/log/apache2/access.log
grep "wpvivid_action=send_to_site" /var/log/nginx/access.log

03-update-wpvivid.sh

# Update WPVivid
wp plugin update wpvivid-backuprestore

# Verify the update
wp plugin list --name=wpvivid-backuprestore --fields=name,version,update_available

04-scan-malicious-files.sh

# Scan for PHP files in non-PHP directories
find wp-content/uploads -type f -name "*.php" -o -name "*.phtml" -o -name "*.php5"

# Check WordPress core file integrity
wp core verify-checksums

# Verify plugin file integrity
wp plugin verify-checksums --all

# List any recently created admin users
wp user list --role=administrator --fields=ID,user_login,user_registered --format=table

05-check-access-logs.sh

# Apache
grep -i "wpvivid_action" /var/log/apache2/access.log | grep -i "send_to_site"

# Nginx
grep -i "wpvivid_action" /var/log/nginx/access.log | grep -i "send_to_site"

# If using cPanel/Plesk, check domain-specific logs
grep -i "wpvivid_action" ~/access-logs/yourdomain.com

06-audit-script.sh

#!/bin/bash
# WPVivid Vulnerability Audit Script
# Run from the parent directory containing your WordPress installations

echo "=== WPVivid CVE-2026-1357 Audit ==="
echo "Date: $(date)"
echo ""

for site in */; do
  if [ -f "${site}wp-config.php" ]; then
    echo "--- Checking: $site ---"
    
    # Check if WPVivid is installed
    version=$(wp plugin list --name=wpvivid-backuprestore --fields=version --format=csv --path="$site" 2>/dev/null | tail -1)
    
    if [ -n "$version" ] && [ "$version" != "version" ]; then
      echo "  WPVivid version: $version"
      
      # Compare versions
      if [ "$(printf '%s\n' "0.9.124" "$version" | sort -V | head -1)" != "0.9.124" ]; then
        echo "  STATUS: VULNERABLE - Update required!"
      else
        echo "  STATUS: Patched"
      fi
      
      # Check for suspicious PHP files in uploads
      php_count=$(find "${site}wp-content/uploads" -name "*.php" 2>/dev/null | wc -l)
      echo "  PHP files in uploads: $php_count"
      
    else
      echo "  WPVivid: Not installed"
    fi
    echo ""
  fi
done

07-block-php-uploads-htaccess.conf

# wp-content/uploads/.htaccess
<Files "*.php">
  Order Deny,Allow
  Deny from all
</Files>

08-block-php-uploads-nginx.conf

location ~* /wp-content/uploads/.*\.php$ {
  deny all;
}

09-enable-auto-updates.sh

# Enable auto-updates for specific plugins
wp plugin auto-updates enable wpvivid-backuprestore
wp plugin auto-updates enable wordfence

# Or enable for all plugins
wp plugin auto-updates enable --all

10-file-monitoring.sh

# Create a baseline of your WordPress files
find /path/to/wordpress -type f -name "*.php" -exec md5sum {} \; > /root/wp-baseline.md5

# Compare against baseline (run daily via cron)
md5sum -c /root/wp-baseline.md5 2>/dev/null | grep FAILED

11-security-constants.php

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

// For production sites with CI/CD deployment
define('DISALLOW_FILE_MODS', true);