Description
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Published: 2026-06-11
Score: 8.1 High
EPSS: 3.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass in the UpdraftPlus plugin requests because signature verification is insufficient and the decryption key becomes all zeros. This flaw enables an unauthenticated site with the privileges of the WordPress administrator, such as uploading and activating malicious plugins, which results in remote code execution. The weakness is classified as CWE‑347.

Affected Systems

The affected product is the UpdraftPlus: WP Backup & Migration Plugin developed by David Anderson. Versions up to and including 1.26.4 are vulnerable. Any WordPress site that has this plugin installed and has UpdraftCentral remote communication enabled is potentially exposed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high impact, while the EPSS score of 3% indicates a low probability of exploitation. Because the attack requires an unauthenticated RPC call to the plugin, the likely attack vector is a network‑visible endpoint that accepts remote communication. The vulnerability is not listed in the CISA KEV catalog. The high CVSS and potential for remote code execution mean that sites should treat it as a high‑risk issue. Affected sites with the plugin pre‑1.26.5 should immediately remediate.

Generated by OpenCVE AI on June 24, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update UpdraftPlus to version 1.26.5 or later to eliminate the authentication bypass flaw.
  • If an immediate upgrade is not possible, block the /updraft-remote and /updraft-remote-callback URLs so that remote RPC calls cannot reach the plugin.
  • Disable or remove UpdraftCentral integration so that remote communication is not invoked from external sources.
  • As a last resort, uninstall the UpdraftPlus plugin and replace it with a backup solution that does not expose vulnerable RPC endpoints.

Generated by OpenCVE AI on June 24, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidanderson
Davidanderson updraftplus: Wp Backup & Migration Plugin
Wordpress
Wordpress wordpress
Vendors & Products Davidanderson
Davidanderson updraftplus: Wp Backup & Migration Plugin
Wordpress
Wordpress wordpress

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Title UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Davidanderson Updraftplus: Wp Backup & Migration Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-11T14:37:38.538Z

Reserved: 2026-06-03T21:07:44.434Z

Link: CVE-2026-10795

cve-icon Vulnrichment

Updated: 2026-06-11T14:37:28.713Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T07:16:26.713

Modified: 2026-06-11T14:42:47.007

Link: CVE-2026-10795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature