WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks

A critical unauthenticated arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) in WPvivid Backup & Migration (≤0.9.123) allows attackers to upload PHP files and achieve RCE via the receive-backup `send_to_site` endpoint due to RSA decryption error handling and unsanitized filenames; update to 0.9.124, disable receive-backup keys when not needed, rotate keys, and inspect the web root for unexpected PHP files.