A critical authentication bypass (CVE-2026-10795) has been reported in UpdraftPlus: WP Backup & Migration Plugin for WordPress. According to Wordfence and an NVD-linked reference to the plugin’s remote communications code, all versions up to and including 1.26.4 are affected, with a fix available in version 1.26.5. Wordfence rates the issue 8.1 (High) and notes that exploitation is limited to sites that were previously connected to UpdraftCentral, the plugin’s remote site management dashboard.
Why it matters: UpdraftPlus is widely deployed, and remote management features are attractive targets. While the exploit path is constrained to sites connected to UpdraftCentral, successful abuse on those sites could allow an attacker to run privileged actions as an administrator, including installing and activating plugins that execute arbitrary PHP code.
What’s affected and how the bug works
Wordfence explains that the vulnerability originates in the plugin’s remote communications mechanism (referenced in the NVD feed via the RPC class file at vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php). During message handling, the code insufficiently validates the incoming format and signature. Crucially, when the RSA decryption step fails, the underlying library returns false rather than throwing an exception. The subsequent AES setup then collapses to a deterministic, all-zero key and initialization vector. An attacker who reproduces this configuration can encrypt a forged message that the listener will accept.
On affected sites previously connected to UpdraftCentral, the listener dispatches accepted messages as if they came from the connected dashboard. Wordfence reports that the handler sets the current user to the administrator who linked the site, causing capability checks to pass. UpdraftPlus includes powerful RPC commands such as uploading and activating plugins, so a forged request could lead to full site compromise via arbitrary PHP execution.
Confirmed scope and patch status
- Affected: UpdraftPlus versions up to and including 1.26.4 (per Wordfence and the NVD-linked reference)
- Exploit condition: Only sites that have previously been connected to UpdraftCentral are exposed (per Wordfence)
- Patched: Version 1.26.5 (per Wordfence)
Wordfence attributes the fix to adding a return-value check during decryption, preventing the “all-zero key” fallback path. Wordfence also notes it released a firewall rule for its Premium, Care, and Response users on June 3, 2026, with the same protection scheduled for Wordfence Free users on July 3, 2026.
Practical next steps
The evidence supports the following immediate actions:
- Update UpdraftPlus to version 1.26.5 or later.
- Determine whether your site was ever connected to UpdraftCentral to assess exposure.
- If you use Wordfence security products, be aware of the firewall rule availability dates reported by Wordfence.
Technical notes for defenders
The vulnerable flow is associated with the UpdraftPlus remote communications path referenced by NVD and described by Wordfence as involving UpdraftPlus_Remote_Communications_V2::wp_loaded. The core issue is a combination of insufficient message validation, a bypassable signature check, and unchecked decryption results that degrade to a predictable cryptographic state. Once a forged message is accepted, the listener runs RPC commands in the context of the administrator account that linked the site to UpdraftCentral.
Limitations and open questions
The public evidence indicates a complete patch in 1.26.5 and confirms the exploit precondition (prior UpdraftCentral connection). The materials do not provide vendor guidance on post-update steps such as key rotation or connection re-establishment. There is no statement in the provided sources about in-the-wild exploitation. If those details matter to your risk assessment, consult the official plugin changelog and the vendor’s advisories when available.
Conclusion
CVE-2026-10795 is a high-severity authentication bypass in UpdraftPlus that becomes critical on sites linked to UpdraftCentral. The vendor has addressed the issue in version 1.26.5. If your WordPress site runs UpdraftPlus, update promptly and verify whether an UpdraftCentral connection exists or existed to understand your exposure window.
References:
- Wordfence: Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin — https://www.wordfence.com/blog/2026/06/critical-unauthenticated-authentication-bypass-vulnerability-patched-in-updraftplus-wordpress-plugin/
- NVD Recent CVEs entry (references RPC class file): https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
