Active Exploitation of UpdraftPlus Auth Bypass Enables WordPress Site Takeover
A critical authentication bypass in the UpdraftPlus: WP Backup & Migration WordPress plugin, tracked as CVE-2026-10795, is being actively exploited against sites running versions up to and including 1.26.4. The flaw affects a plugin installed on more than three million WordPress sites and stems from insufficient validation in UpdraftCentral remote procedure call handling, including signature-verification weaknesses and unchecked decryption return values that can collapse to a predictable all-zero key. Wordfence reported blocking 4,987 exploitation attempts in a 24-hour period.
Successful exploitation lets unauthenticated attackers impersonate the connected administrator and issue arbitrary RPC actions, including uploading and auto-activating a malicious plugin for remote code execution and full site compromise. The vulnerability has been classified under CWE-347, with a CVSS v3.1 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue was reportedly discovered by researcher vtim, and the vendor released a patch that adds stricter return-value validation; administrators are being urged to update immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Nuclei template updated to reduce CVE-2026-10795 false positives
A ProjectDiscovery pull request updated the Nuclei detection template for CVE-2026-10795 after the original logic falsely flagged non-WordPress applications such as Zimbra. The revised matcher now looks for the JSON key pattern "\"udrpc_message\":\"" to better match vulnerable UpdraftPlus responses, while patched 1.26.5 instances should no longer match.
CVE-2026-10795 is received by Wordfence
The CVE record states that security@wordfence.com received vulnerability CVE-2026-10795 on this date. The flaw was categorized as CWE-347 and described as an authentication bypass leading to possible remote code execution.
Wordfence observes active exploitation of UpdraftPlus flaw
Wordfence reported active exploitation of CVE-2026-10795 and said it blocked 4,987 attack attempts within a 24-hour period. Successful exploitation can lead to malicious plugin upload, activation, and full site compromise.
UpdraftPlus releases patch for CVE-2026-10795
The UpdraftPlus development team released a fix for CVE-2026-10795 by adding a strict return-value check. The issue affects plugin versions up to and including 1.26.4.
Researcher discovers UpdraftPlus authentication bypass flaw
The UpdraftPlus vulnerability CVE-2026-10795 was reportedly discovered by researcher vtim, who received a $5,200 bounty for responsible disclosure. The flaw affects UpdraftCentral RPC handling and can let unauthenticated attackers act as the connected administrator.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Fix false positive in CVE-2026-10795 (UpdraftPlus UpdraftCentral auth bypass) by Eren-Akdag · Pull Request #16418 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceCVE-2026-10795 - UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
cvefeed.io
Open sourceUpdraftPlus CVE-2026-10795: 3M Sites Actively Exploited
securityonline.info
Open sourceSpirit Framework WordPress Plugin CVE-2025-6388: Brief Summary of a Critical Authentication Bypass - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Burst Statistics WordPress Plugin Flaw Enables Admin Takeover Under Active Exploitation
A critical authentication-bypass flaw in the **Burst Statistics** WordPress plugin is being actively exploited to seize administrator access on vulnerable sites. Tracked as `CVE-2026-8181`, the bug affects versions `3.4.0` through `3.4.1.1` and was introduced through improper return-value handling in the plugin’s `is_mainwp_authenticated()` logic for Basic Authentication headers. Security researchers reported that an unauthenticated attacker who knows an administrator username can send arbitrary credentials and be treated as that admin for the request, allowing account impersonation or creation of new administrator accounts on sites running the plugin, which is installed on roughly 200,000 WordPress websites. Wordfence said it observed live attacks and blocked more than 7,400 exploitation attempts in a 24-hour period. Successful compromise could enable follow-on activity including data theft, malware deployment, and malicious site redirection. Defenders were urged to update immediately to **Burst Statistics `3.4.2`** or disable the plugin until patching is possible. Separate disclosures also highlighted another severe WordPress plugin issue, `CVE-2026-6510` in **InfusedWoo Pro** `<= 5.1.2`, where missing authorization checks in the `iwar_save_recipe()` AJAX handler can let unauthenticated attackers craft automation-based authentication bypass leading to administrator-level privilege escalation.
May 15, 2026
Active Exploitation of Everest Forms Pro RCE Creates Rogue WordPress Admins
Attackers are actively exploiting **CVE-2026-3300**, a critical unauthenticated remote code execution flaw in the **Everest Forms Pro** WordPress plugin, to fully compromise vulnerable sites. The bug affects versions through **1.9.12** and was fixed in **1.9.13**. It stems from the plugin’s Complex Calculation feature, where user-controlled input in `process_filter()` is concatenated into PHP code and executed with `eval()`, allowing arbitrary PHP injection through crafted form submissions, often via the `/wp-admin/admin-ajax.php` endpoint. Wordfence reported exploitation beginning on April 13 and escalating into mass attacks, with more than **29,300** exploit attempts blocked overall and over **17,900** on May 16 alone. A recurring payload creates a rogue administrator account named **`diksimarina`**, giving attackers persistent access to upload webshells, install backdoors, alter site content, and potentially pivot deeper into the hosting environment. Defenders are being urged to upgrade immediately to **1.9.13 or later**, audit WordPress administrator accounts for unauthorized users, and review logs for suspicious requests and known malicious IP activity.
Jun 9, 2026
Critical Unauthenticated File Upload RCE in WPvivid Backup & Migration (CVE-2026-1357)
A **critical vulnerability in the WordPress plugin *WPvivid Backup & Migration*** (aka *Migration, Backup, Staging – WPvivid Backup & Migration*) allows **unauthenticated arbitrary file upload leading to remote code execution (RCE)** on affected sites. Tracked as **CVE-2026-1357** with **CVSS 9.8**, the issue impacts plugin versions **<= 0.9.123** and is tied to the plugin’s remote transfer functionality (`send_to_site()` / `wpvivid_action=send_to_site`), which processes incoming backup data from other sites. Technical details indicate the exploit chain combines **broken cryptographic error handling** with **unsafe file write behavior**: when `openssl_private_decrypt()` fails, execution continues and a `false` value is passed into AES initialization, which is treated as a predictable **null-byte key**. Attackers can craft payloads encrypted with this null-byte key to bypass intended protections, then leverage missing file validation (and reported lack of filename/path sanitization enabling **directory traversal**) to write attacker-controlled files (e.g., PHP web shells) into web-accessible locations, enabling full site takeover and data access (including database contents).
Mar 21, 2026