What the vulnerability does
01Description
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Explanation of Vulnerability in Simple Terms
02Summary
UpdraftPlus versions up to 1.26.4 contain a cryptographic signature verification flaw that allows attackers to forge or bypass authentication mechanisms. An attacker can exploit this without authentication or user interaction to read sensitive backup data, modify backups, or disrupt backup operations. Sites using affected versions should update immediately.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete WordPress backups and sensitive data without authentication.
Potential impact on your site
04Site Impact
Attackers can access, alter, or destroy your WordPress backups and restore points without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 11, 2026
CVE published
June 11, 2026
Record updated