CVE-2026-10795 - Vulnerability Details

Description

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

Published: 2026-06-11

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authentication bypass in the UpdraftPlus plugin that allows an attacker to forge RPC requests because signature verification is insufficient and the decryption key becomes all zeros. This flaw enables an unauthenticated user to execute arbitrary commands on the WordPress site with the privileges of the WordPress administrator, such as uploading and activating malicious plugins, which results in remote code execution. The weakness is classified as CWE‑347.

Affected Systems

The affected product is the UpdraftPlus: WP Backup & Migration Plugin developed by David Anderson. Versions up to and including 1.26.4 are vulnerable. Any WordPress site that has this plugin installed and has UpdraftCentral remote communication enabled is potentially exposed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high impact, while the EPSS score is not available, so the current exploitation likelihood cannot be quantified. Because the attack requires an unauthenticated RPC call to the plugin, the likely attack vector is a network‑visible endpoint that accepts remote communication requests. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS and potential for remote code execution mean that sites should treat it as a high‑risk issue. Affected sites with the plugin pre‑1.26.5 should immediately remediate.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

davidanderson

UpdraftPlus: WP Backup & Migration Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.26.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update UpdraftPlus to version 1.26.5 or later to eliminate the authentication bypass flaw.
If an immediate upgrade is not possible, block the /updraft-remote and /updraft-remote-callback URLs so that remote RPC calls cannot reach the plugin.
Disable or remove UpdraftCentral integration so that remote communication is not invoked from external sources.
As a last resort, uninstall the UpdraftPlus plugin and replace it with a backup solution that does not expose vulnerable RPC endpoints.

Generated by OpenCVE AI on June 11, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php
https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve

History

Thu, 11 Jun 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Title		UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
Weaknesses		CWE-347
References		https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-11T05:34:20.360Z

Updated: 2026-06-11T05:34:20.360Z

Reserved: 2026-06-03T21:07:44.434Z

Link: CVE-2026-10795

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-11T07:16:26.713

Modified: 2026-06-11T07:16:26.713

Link: CVE-2026-10795

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses

CWE-347

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object