Impact
The vulnerability is an authentication bypass in the UpdraftPlus plugin requests because signature verification is insufficient and the decryption key becomes all zeros. This flaw enables an unauthenticated site with the privileges of the WordPress administrator, such as uploading and activating malicious plugins, which results in remote code execution. The weakness is classified as CWE‑347.
Affected Systems
The affected product is the UpdraftPlus: WP Backup & Migration Plugin developed by David Anderson. Versions up to and including 1.26.4 are vulnerable. Any WordPress site that has this plugin installed and has UpdraftCentral remote communication enabled is potentially exposed.
Risk and Exploitability
The CVSS score of 8.1 indicates a high impact, while the EPSS score of 3% indicates a low probability of exploitation. Because the attack requires an unauthenticated RPC call to the plugin, the likely attack vector is a network‑visible endpoint that accepts remote communication. The vulnerability is not listed in the CISA KEV catalog. The high CVSS and potential for remote code execution mean that sites should treat it as a high‑risk issue. Affected sites with the plugin pre‑1.26.5 should immediately remediate.
OpenCVE Enrichment