WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks

**Executive Summary:** A critical remote code execution vulnerability (CVE-2026-1357, CVSS 9.8) in the WPvivid Backup & Migration plugin (<= 0.9.123) allows unauthenticated attackers to upload and execute arbitrary PHP files due to improper RSA decryption error handling and insufficient filename sanitization, potentially impacting over 800,000 WordPress sites; the vendor released version 0.9.124 and Wordfence deployed firewall protections, and site owners are urged to update immediately.