Skip to main content
Mallory
Back to vulnerabilities
High

Authentication Bypass and RCE in UpdraftPlus WordPress Plugin

IdentifiersCVE-2026-10795CWE-347· Improper Verification of…

CVE-2026-10795 is a critical authentication bypass vulnerability in the UpdraftPlus: WP Backup & Migration Plugin for WordPress affecting all versions up to and including 1.26.4. The flaw is in the UpdraftPlus_Remote_Communications_V2::wp_loaded function and stems from insufficient validation of the remote communications message format used by UpdraftCentral-related RPC handling. According to the provided content, signature verification can be bypassed and unchecked decryption return values can collapse to a predictable all-zero encryption key. As a result, an unauthenticated attacker can forge arbitrary remote procedure call messages that are accepted and executed as the connected administrator. The described attack path includes issuing RPC commands to upload and activate a malicious plugin, which then leads to remote code execution on the target WordPress site.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary RPC actions with the privileges of the connected administrator. The provided content states this can be used to upload and automatically activate a malicious plugin, resulting in arbitrary PHP execution and potentially operating system command execution. The practical impact is full compromise of the affected WordPress site, including loss of confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting the vulnerable UpdraftCentral remote communications functionality where operationally feasible, limiting administrative connectivity, and closely monitoring for unexpected plugin uploads, plugin activations, and suspicious RPC-related requests. Review WordPress administrator accounts, installed plugins, and filesystem changes for signs of compromise. Because the vulnerability is described as actively exploited, mitigation should be treated only as a temporary measure until the plugin is updated.

Remediation

Patch, then assume compromise.

Update the UpdraftPlus: WP Backup & Migration Plugin to a patched version later than 1.26.4 immediately. The provided content indicates the vendor released a fix that adds a strict return-value check in the vulnerable remote communications handling path. Administrators should ensure all affected instances are upgraded to the latest available secure release and verify that no unauthorized plugins or administrative actions occurred prior to patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
cvefeed high severityNews
Jun 11, 2026
CVE-2026-10795 - UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

An authentication bypass vulnerability in the UpdraftPlus: WP Backup & Migration Plugin for WordPress affecting all versions up to and including 1.26.4, allowing unauthenticated attackers to forge RPC commands as the connected administrator and ultimately achieve remote code execution.

Read more
security online infoNews
Jun 10, 2026
UpdraftPlus CVE-2026-10795: 3M Sites Actively Exploited

A critical authentication bypass vulnerability in the UpdraftPlus WordPress plugin's UpdraftCentral integration that allows unauthenticated attackers to run arbitrary remote procedure calls as the connected administrator, leading to malicious plugin upload and arbitrary PHP/OS command execution.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-10795
NVD
nvd.nist.gov/vuln/detail/CVE-2026-10795
MITRE CWE · CWE-347
Improper Verification of Cryptographic Signature
plugins.svn.wordpress.org
plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php
plugins.svn.wordpress.org
plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve