CVE-2026-10795 — UpdraftPlus WordPress backup plugin: unauthenticated authentication bypass to RCE
From CTI Daily Brief — 2026-06-14 · published 2026-06-14 · view item permalink →
CVE-2026-10795 (CVSS 8.1) is an unauthenticated authentication bypass in UpdraftPlus: WP Backup & Migration, present in versions ≤ 1.26.4 across an estimated 3 million-plus active installations (WPScan, 2026-06-11). The flaw is in the plugin's remote-communication path: decrypt_message() does not validate the return value of $rsa->decrypt(), so when RSA decryption fails the resulting false is passed to Rijndael::setKey() and collapses to a deterministic all-zero AES-128 key — letting an unauthenticated attacker forge RPC commands that execute as the connected administrator, ultimately uploading and activating a malicious plugin for code execution (Wordfence via Malware.news, 2026-06-11). Exploitation is gated on the site having an active UpdraftCentral or Migrator key configured. Wordfence shipped firewall-rule protection to its customers ahead of broad disclosure and the exploitation mechanism is now public; independent confirmation of in-the-wild exploitation was not located in this run. Fixed in 1.26.5. Hunt for unexpected plugin upload/activation events outside change windows and for udrpc_message-bearing POSTs to admin-ajax.php; update immediately and disable UpdraftCentral/Migrator keys if unused.