UpdraftPlus Auth Bypass (CVE-2026-10795) Puts 3 Million WordPress Sites at Risk

UpdraftPlus is one of those plugins you install once, schedule a backup job, and then mostly forget about. Three million WordPress sites are running it right now. Yesterday — June 11, 2026 — researchers disclosed that versions up to and including 1.26.4 contain a flaw that lets a completely unauthenticated attacker execute arbitrary code on your server as a WordPress administrator. A patch has been out since June 3rd. Active exploitation started immediately after public disclosure, with Wordfence reporting more than 8,000 blocked attacks within the first 24 hours.

What the Bug Is, and Why It Works

The vulnerability, CVE-2026-10795 (CVSS 8.1, High), lives in the plugin's remote communications layer — specifically the UpdraftPlus_Remote_Communications_V2::wp_loaded function that handles RPC calls from UpdraftCentral, the company's remote site-management dashboard.

Here's the short version of what goes wrong: when the plugin decrypts an incoming RPC message, it calls $rsa->decrypt() but never checks whether decryption actually succeeded. If the RSA decryption fails, the function returns false — and that false value silently propagates as the decryption key for the symmetric AES layer. The result is an all-zero AES-128 key: fully deterministic, fully known to any attacker. They can forge any encrypted message they want, and the server accepts it as authentic.

Wordfence's advisory puts it plainly: the flaw "allows unauthenticated attackers to run arbitrary Remote Procedure Calls (RPC) as the connected administrator." From there the path to full site compromise is short — upload a malicious plugin, activate it, and you have shell access. Security researcher vtim discovered and responsibly disclosed the issue, earning a $5,200 bounty.

Who Is Actually Vulnerable

There's one important condition: the attack only works on sites that have previously connected to UpdraftCentral or that have an active Migrator key set up. If you've never touched either feature, the vulnerable code path is never registered and you're not directly exposed.

That said, UpdraftCentral is explicitly marketed as a way to manage multiple WordPress sites from one dashboard — which means the sites most likely to be targeted are the ones that are already managing other sites. Agencies and hosting providers that use UpdraftCentral to oversee client installations should treat this as urgent. And even sites without UpdraftCentral set up should still update: the history of vulnerability research is full of cases where a "condition required" turns out to be weaker than it looked.

The Exploitation Timeline Is Compressing

Here's what the last ten days look like:

• June 3: Wordfence Premium, Care, and Response customers received firewall rules protecting against CVE-2026-10795.
• June 3: UpdraftPlus 1.26.5 released, fixing the broken return-value check with a strict type-and-length validation before the decrypted key is ever used.
• June 11: Full public disclosure. A working proof-of-concept is now publicly available.
• June 11-12: Thousands of exploitation attempts per day, confirmed by Wordfence telemetry.
• July 3: Wordfence free users receive firewall protection — 30 days after Premium users did.

That last line is worth staring at. Sites running the free tier of Wordfence have no automated firewall defense against this exploit until July 3rd. If you're relying on the free tier and haven't updated the plugin yet, your firewall is not catching these attacks right now.

Why Backup Plugins Are a High-Value Target

Security attention tends to focus on contact forms, e-commerce plugins, and membership systems — the places users input data. Backup plugins sit further from that spotlight, but they're actually an ideal target for several reasons.

First, elevated privilege is baked in. A backup plugin needs filesystem access, database access, and the ability to write large files — which means any code execution through it arrives pre-loaded with unusually broad reach. Second, backup plugins often have outbound connectivity configured (S3, Google Drive, remote FTP) that an attacker can immediately weaponize to exfiltrate data before the compromise is even noticed. Third, the backup archives themselves — if stored locally — may contain complete database dumps including password hashes, API keys, and customer PII.

Gaining admin-level RPC access to UpdraftPlus isn't just about defacing a site. It's a fast path to reading every credential that was ever in that database.

What to Do Right Now

• Update UpdraftPlus to 1.26.5 or newer immediately. This is not a "do it by end of week" situation. The patch has been available since June 3rd; every day without it is unnecessary exposure.
• Check your UpdraftCentral connection status. In the UpdraftPlus settings, look for any active UpdraftCentral or Migrator keys. If you see keys you don't recognize or no longer use, revoke them.
• Audit recent plugin activity. Check your WordPress admin for any plugins installed or activated in the last two weeks that you don't recognize. An attacker who got in before you patch may have left something behind.
• Review your backup storage configuration. If UpdraftPlus stores backups locally in the /wp-content/updraft/ directory, move them to a non-web-accessible location or off-server storage. Those archives should never be publicly downloadable.
• If you run Wordfence Free, consider upgrading or adding an alternative WAF temporarily. The 30-day firewall delay is a real gap while you're running outdated plugin versions.

At Falcon Internet, anomalous plugin activity — unexpected installations, sudden admin account creation, unusual outbound file transfers — surfaces through 24x7x365 NOC monitoring, which is exactly how you catch the successful exploits that slip past patch cycles. The patch is the right answer here, but defense in depth is what catches the gaps.

The Broader Lesson

CVE-2026-10795 is a reminder that the security posture of a WordPress installation is only as strong as its most-trusted plugin. Backup software sits at the top of that trust hierarchy by necessity — it has to. That trust needs to be earned continuously through rigorous code review, dependency auditing, and cryptographic hygiene. A missed return-value check in an RSA decryption call isn't a trivial oversight when the code controls administrative access to three million websites.

Update the plugin. Audit the keys. Check the logs.