Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2026-10795
PUBLISHEDUpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
- Vendor
- davidanderson
- Product
- UpdraftPlus: WP Backup & Migration Plugin
- Published
- Jun 11, 2026
- EPSS
- —
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Weaknesses (CWE)
-
Improper Verification of Cryptographic Signature
CVSS scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2026-06-11 07:20:32 UTC · Daily CyberSecurity
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve
- https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
- https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php
- https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| Daily CyberSecurity First | 2026-06-11 07:20 UTC |
Recent mentions
Daily CyberSecurity · Jun 10, 2026
Cybersecurity experts recently identified a massive threat to WordPress websites. Specifically, hackers are actively exploiting a critical UpdraftPlus The post Critical UpdraftPlus CVE-2026-10795 Exploit Targets Millions appeared first on Daily CyberSecurity. Related posts: Critical WordPress Plugin Flaw (CVE-2025-7384, CVSS 9.8) Exposes 70,000+ Sites to RCE and Data Loss CVE-2025-5821: Critical Authentication Bypass in WordPress Case Theme User Plugin Exploited in the Wild Critical Flaw in Termix Docker Image (CVE-2025-59951) Leaks SSH Credentials Without Authentication
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel