Security Alert Summary
The UpdraftPlus: WP Backup & Migration Plugin contains an authentication bypass vulnerability in all versions up to and including 1.26.4. The issue is located in the UpdraftPlus_Remote_Communications_V2::wp_loaded function and allows signature verification to be bypassed and decryption results to collapse to a predictable all-zero encryption key. An unauthenticated attacker could forge RPC commands that run as the connected administrator, potentially leading to plugin upload and activation and remote code execution.
CVE Details
- CVE ID: CVE-2026-10795
- Affected component: UpdraftPlus: WP Backup & Migration Plugin
- Affected versions: All versions up to and including 1.26.4
- Published: June 11, 2026 at 7:16:26 AM
- Last modified: June 11, 2026 at 2:42:47 PM
- CVSS v3.1: Base score 8.1, Severity: High, Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / privileges / user interaction: No authentication required; privileges required: None; user interaction: None
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness: CWE-347
Technical Details
The vulnerability is an authentication bypass in the plugin’s remote communications implementation. In the UpdraftPlus_Remote_Communications_V2::wp_loaded function, validation of the remote communications message format is insufficient. Specifically, signature verification can be bypassed and decryption return values are not properly checked, which can collapse to a predictable all-zero encryption key.
Because of these failures, an unauthenticated attacker can forge arbitrary RPC commands that are accepted and executed as the connected administrator. The description explicitly notes that this can be used to upload and activate a malicious plugin and result in remote code execution. The impact is limited to the behavior described by the vulnerable code path and the RPC handling logic referenced.
How This Could Impact Your Website
On a site where UpdraftPlus is installed and running a vulnerable version, an unauthenticated remote attacker could execute RPC commands as an administrator. In a realistic scenario, the site owner and internal staff (editors or administrators) may not notice crafted RPC activity while an external contractor or contributor with limited access interacts with the site. An attacker able to upload and activate a plugin could introduce malicious code that exfiltrates data or performs further actions.
Practical consequences include exposure of internal user details such as email addresses and increased risk of targeted phishing or social engineering against staff. If youâre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and editor roles with elevated capabilities.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected plugin uploads or activations.
If youâd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php
- https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
- https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve
