CVE-2026-10795 HIGH

CVE-2026-10795: UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

Vendor Davidanderson
Product UpdraftPlus: WP Backup & Migration Plugin
Weakness CWE-347
Published June 11, 2026
Last update June 11, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

UpdraftPlus versions up to 1.26.4 contain a cryptographic signature verification flaw that allows attackers to forge or bypass authentication mechanisms. An attacker can exploit this without authentication or user interaction to read sensitive backup data, modify backups, or disrupt backup operations. Sites using affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete WordPress backups and sensitive data without authentication.

Potential impact on your site

04Site Impact

Attackers can access, alter, or destroy your WordPress backups and restore points without logging in.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated