Critical Authentication Bypass in UpdraftPlus WordPress Plugin Allows Admin Takeover
A critical vulnerability in the UpdraftPlus WordPress plugin, affecting over 3 million sites, allows unauthenticated attackers to execute arbitrary commands as an administrator, potentially leading to full site compromise.
A critical Unauthenticated Authentication Bypass vulnerability has been patched in the widely-used UpdraftPlus WordPress plugin, a tool with over 3 million active installations. The flaw, identified as CVE-2026-10795, allows unauthenticated attackers to execute arbitrary Remote Procedure Calls (RPC) as a site administrator. This could enable attackers to upload and activate malicious plugins, ultimately leading to complete website compromise through arbitrary PHP code execution.
The vulnerability is specifically exploitable on WordPress sites that have previously been connected to UpdraftCentral, the plugin's remote site management dashboard. This connection establishes an RPC listener that, when improperly handled, becomes a vector for exploitation. The discovery was made by researcher vtim, who responsibly reported the vulnerability through the Wordfence Bug Bounty Program and received a $5,200 bounty.
Wordfence detailed the technical analysis, explaining that the vulnerability lies within the UpdraftPlus_Remote_Communications_V2::wp_loaded function. The issue stems from insufficient validation of the remote communications message format. Specifically, the signature verification can be bypassed, and unchecked return values from decryption can lead to a predictable, all-zero AES key. This allows an attacker to craft a forged RPC message that the server will decrypt and execute as if it originated from a legitimate UpdraftCentral connection.
Once an attacker successfully bypasses the authentication and decryption mechanisms, they can issue commands as the connected administrator. The most severe implication is the ability to upload and activate a malicious plugin, which provides a direct path to arbitrary code execution and full control over the compromised WordPress site. The vulnerability carries a CVSS score of 8.1, classifying it as High severity.
Wordfence began protecting its Premium, Care, and Response users with a firewall rule on June 3, 2026, with free version users receiving the same protection 30 days later, on July 3, 2026. The UpdraftPlus development team was notified on June 3, 2026, and responded promptly, releasing version 1.26.5 on June 5, 2026, to address the vulnerability. Wordfence commended the developer for their swift action.
Users of the UpdraftPlus plugin are strongly urged to update to version 1.26.5 or later immediately to mitigate the risk of exploitation. The vulnerability affects all versions of UpdraftPlus up to and including 1.26.4. The successful exploitation of such a critical flaw in a widely used plugin highlights the ongoing security challenges within the WordPress ecosystem and the importance of timely patching and robust security measures.
This incident underscores the need for vigilance in managing WordPress plugins, especially those that handle remote management or integrate with external services. The potential for unauthenticated attackers to gain administrative privileges and execute arbitrary code remains a significant threat, emphasizing the value of proactive security research and rapid vendor response.