Sites running UpdraftPlus and connected to UpdraftCentral — the plugin’s remote site management dashboard — were exposed to an authentication bypass that allowed a completely unauthenticated attacker to gain full administrative control. The flaw, tracked as CVE-2026-10795 (CVSS 3.1 score of 8.1, High), affects all versions of UpdraftPlus up to and including 1.26.4. Version 1.26.5, released June 5, 2026, patches the issue. The CVSS band lands at High rather than Critical, but the practical impact — full administrative takeover with no authentication required — is why this warrants urgent attention regardless of the score.
The plugin has more than 3 million active installations, though only sites previously connected to UpdraftCentral are vulnerable. An attacker could exploit the flaw to upload and activate a malicious plugin, gaining arbitrary code execution and complete control of the affected site — then use RPC commands such as plugin.upload_plugin and plugin.activate_plugin to install and run arbitrary PHP code.
The root cause lies in how UpdraftPlus handles encrypted messages sent by UpdraftCentral. When a site is connected to UpdraftCentral, the plugin registers an unauthenticated RPC (Remote Procedure Call) listener — a component that accepts remote commands — on every page load. That listener calls the decrypt_message() function in the UpdraftPlus_Remote_Communications_V2 class, which attempts to decrypt an incoming symmetric key using the site’s RSA private key. The problem is that the function never checked whether decryption actually succeeded. How the exploit chain works:
- When a malformed encrypted key is supplied, the underlying phpseclib library returns
falseinstead of throwing an error - Passing
falseto the AES key function collapses silently to an all-zero 128-bit key and an all-zero initialization vector - An attacker can reproduce this exact configuration locally and craft a message that the server decrypts and accepts as legitimate
- Once accepted, the listener calls
wp_set_current_user()with the site’s connected administrator ID, granting full admin access for that request
The fix validates that the decrypted symmetric key is a non-false string of at least 16 characters before it is used. If that check fails, the function returns false and the message is rejected. The fix and full release notes are available in the UpdraftPlus changelog.
The vulnerability was discovered by researcher vtim and submitted through the Wordfence Bug Bounty Program on June 1, 2026. The researcher was awarded a bounty of $5,200. Wordfence validated the report, sent full disclosure to the vendor on June 3, 2026, and published a technical write-up of the issue. Wordfence Premium, Care, and Response users received a firewall rule blocking exploitation attempts on June 3, 2026; sites on the free Wordfence plan will not receive that same protection until July 3, 2026 — a 30-day gap in coverage.
Sites running UpdraftPlus 1.26.4 or earlier with UpdraftCentral connected should update to version 1.26.5.
