CVE: CVE-2026-10795 | CVSS 3.1: 8.1 (HIGH) | CWE: CWE-306 | Vendor: UpdraftPlus | Product: UpdraftPlus: WP Backup & Migration Plugin | Affected versions: ≤ 1.26.4 | Installations: 3+ million
What Is the Vulnerability
UpdraftPlus includes a remote communications (RPC) protocol that allows authenticated remote control of the plugin’s backup, restore, and migration functions. This protocol relies on cryptographic signature verification to authenticate incoming commands and ensure they originated from a trusted administrator.
Two flaws combine to completely break this authentication mechanism:
- Flawed signature verification. The signature verification logic does not properly validate the integrity of RPC command payloads, allowing an attacker to craft commands that pass the verification check without possessing a valid key.
- Decrypt-to-zero encryption key. The encryption key used in the signature scheme decrypts to all-zero bytes under certain conditions. This predictable output means an attacker can trivially compute valid signatures for arbitrary RPC commands.
Together, these flaws allow an unauthenticated attacker to forge RPC commands that appear to originate from the site administrator. The attacker can then use the RPC interface to upload and activate a malicious plugin, achieving full remote code execution on the WordPress host. No prior authentication, user interaction, or privileged access is required — the attacker only needs network access to the target WordPress site.
The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. The remote communications endpoint does not adequately verify the identity of the caller before executing privileged operations, making it directly exploitable over the network with low attack complexity.
Versions Affected
- UpdraftPlus: WP Backup & Migration Plugin versions ≤ 1.26.4
UpdraftPlus is one of the most widely installed WordPress plugins, with over 3 million active installations across self-hosted WordPress sites worldwide. The plugin is used for scheduled backups, one-click restores, and site migrations — functions that inherently require broad filesystem and database access, making the impact of a compromise particularly severe.
Given the plugin’s privileged access to the entire WordPress filesystem and database, a successful exploit provides the attacker with not just application-level access but the ability to pivot to the underlying host through arbitrary file operations, scheduled task manipulation, and credential harvesting from wp-config.php.
Exploited?
No known active exploitation has been confirmed at the time of this writing. However, the vulnerability carries significant risk of near-term exploitation for several reasons:
- Massive install base: With over 3 million active installations, UpdraftPlus presents an exceptionally large attack surface. Even a small fraction of unpatched sites represents tens of thousands of exploitable targets.
- Unauthenticated vector: The vulnerability requires no authentication, no user interaction, and no prior access. It can be exploited by any remote attacker with network access to the target WordPress site.
- High-value target: Successful exploitation yields full remote code execution on the WordPress host, including access to the database, configuration files, and the underlying server.
- Predictable exploitation path: The decrypt-to-zero key and flawed signature verification make the exploit highly reproducible across all affected installations. Once a proof-of-concept is publicly available, mass scanning and exploitation are likely to follow rapidly.
Organisations should treat this vulnerability as KEV-equivalent in severity and patch urgency, even though it has not yet been added to the CISA Known Exploited Vulnerabilities catalog. The combination of unauthenticated RCE and a 3-million-site attack surface makes this one of the most significant WordPress plugin vulnerabilities of 2026.
Fix
The UpdraftPlus development team has released a patched version that addresses both the signature verification flaw and the decrypt-to-zero encryption key issue.
- Update to a version beyond 1.26.4. The fix is included in the latest UpdraftPlus release. Navigate to Dashboard → Updates in your WordPress admin panel, or update the plugin manually via Plugins → Installed Plugins.
- Verify the update. After updating, confirm that the UpdraftPlus version number in your installed plugins list is above 1.26.4.
- Enable auto-updates for UpdraftPlus if your site policy allows, to ensure timely application of future security fixes.
Recommendations
- Patch immediately. Update UpdraftPlus beyond version 1.26.4 on all WordPress sites, regardless of whether the site is internet-facing. The unauthenticated nature of the vulnerability means the RPC endpoint could be reachable through internal network pivoting even on intranet-only sites.
- Audit for indicators of compromise. Check for unexpected administrator accounts in the WordPress user table, recently installed or modified plugins, unexplained file modifications in the wp-content directory, and unusual entries in access logs targeting the UpdraftPlus RPC endpoint.
- Run a malware scan. Use a reputable WordPress security scanner to check for backdoors, webshells, or other signs of post-exploitation activity, particularly in the uploads, plugins, and themes directories.
- Review backup integrity. Since UpdraftPlus manages site backups, verify that existing backup archives have not been tampered with and that backup schedules are functioning correctly after the update.
- Consider a Web Application Firewall (WAF) rule to block or rate-limit requests targeting the UpdraftPlus remote communications endpoint as an additional layer of defence while patching is underway.
- Inventory all WordPress installations in your environment and verify the UpdraftPlus version on each. Managed hosting platforms, multisite networks, and client sites may not receive automatic updates and require manual intervention.
References
- NVD Entry for CVE-2026-10795
- Wordfence Advisory (expected)
- Patchstack Advisory (expected)
- UpdraftPlus Official Site
This is a Vulnerability Intelligence advisory covering CVE-2026-10795. Part of the Vulnerability Intelligence series on threat-modeling.com.
