CVE-2026-10795
published 2026-06-11CVE-2026-10795: The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the…
PriorityP183high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.58%
87.9th percentile
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidanderson | updraftplus_wp_backup_migration_plugin | <= 1.26.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/updraftplus/readme.txt
commandPOST / HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded ... format=1&key_name=%s&udrpc_message=%s
- →Scan wp-content/plugins on disk for hidden plugin folders 'content-delivery-helper' or 'database-optimizer' — these do not appear in the WordPress dashboard and indicate active backdoor installation. ↗
- →Review web server access logs from June 12–14 UTC for outbound POST/GET requests to tidio.cc (especially /cdn-cgi/ paths) and connections to 84.201.6.54, which indicate successful exploitation and data exfiltration. ↗
- →Check WordPress user accounts for 'developer_api1' or accounts matching the pattern 'dev_xxxxxx' — these are attacker-created admin accounts used for persistent access. ↗
- →The exploit targets UpdraftPlus <= 1.26.4 via a crafted POST to the site root with parameters 'format=1', 'key_name', and 'udrpc_message'. Detect exploitation attempts by monitoring for POST requests with these parameters where the response body contains 'udrpc_message'.
- →The authentication bypass works by forging the UDRPC message format: a crafted message with an RSA-encrypted block and ciphertext block collapses to an all-zero encryption key, bypassing signature verification. Monitor for unauthenticated POST requests to WordPress sites running UpdraftPlus with 'udrpc_message' in the body. ↗
- →The malicious script payload only executes when a WordPress administrator is logged in. Detection on the server side (filesystem and log review) is required — the backdoor is designed to be invisible from the WordPress admin dashboard. ↗
- →Version fingerprinting: probe /wp-content/plugins/updraftplus/readme.txt and extract 'Stable tag' version. Flag any site running UpdraftPlus <= 1.26.4 as vulnerable to CVE-2026-10795.
- ·The entry point for the broader supply-chain attack (CDN tampering of PushEngage/OptinMonster/TrustPulse) is unconfirmed. PushEngage attributes it to CVE-2026-10795 exploitation on their marketing server, but Sansec considers the breached system still unknown. ↗
- ·The exposure window differed per plugin: OptinMonster and TrustPulse were exposed for ~25 minutes on June 12 (22:17–22:42 UTC); PushEngage's exposure ran for several hours on June 12 and into June 14. Scope your log review accordingly. ↗
- ·Removing the named malicious plugin and rogue admin account may be insufficient — the attacker had arbitrary code execution and may have planted additional backdoors. Full credential rotation and server-side forensic scanning are required. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
davidanderson UpdraftPlus Plugin up to 1.26.4 on WordPress wp_loaded signature verification (EUVD-2026-36215 / CNNVD-202606-3068)
vuldb·2026-06-13·CVSS 8.1
CVE-2026-10795 [HIGH] davidanderson UpdraftPlus Plugin up to 1.26.4 on WordPress wp_loaded signature verification (EUVD-2026-36215 / CNNVD-202606-3068)
A vulnerability, which was classified as problematic, was found in davidanderson UpdraftPlus Plugin up to 1.26.4 on WordPress. The impacted element is the function UpdraftPlus_Remote_Communications_V2::wp_loaded. The manipulation results in improper verification of cryptographic signature.
This vulnerability is cataloged as CVE-2026-10795. The attack may be launched remotely. There is no exploit available.
GHSA
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_
ghsa_unreviewed·2026-06-11
CVE-2026-10795 [HIGH] CWE-347 The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
VulnCheck
updraftplus updraftplus Improper Verification of Cryptographic Signature
vulncheck·2026·CVSS 8.1
CVE-2026-10795 [HIGH] updraftplus updraftplus Improper Verification of Cryptographic Signature
updraftplus updraftplus Improper Verification of Cryptographic Signature
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Affected: updraftplus updraftplus
Required Action: Apply
No detection rules found.
Nuclei
UpdraftPlus WP Backup & Migration Plugin - Authentication Bypass
nuclei·CVSS 8.1
CVE-2026-10795 [HIGH] UpdraftPlus WP Backup & Migration Plugin - Authentication Bypass
UpdraftPlus WP Backup & Migration Plugin - Authentication Bypass
UpdraftPlus WP Backup & Migration Plugin for WordPress /dev/null | base64 | tr -d '\n')
RSA_LEN=$(printf '%03x' ${#RSA_B64})
CT_LEN=$(printf '%016x' ${#CT_B64})
UDRPC_MSG="${RSA_LEN}${RSA_B64}${CT_LEN}${CT_B64}"
ENCODED_MSG=$(printf '%s' "$UDRPC_MSG" | sed 's/+/%2B/g; s/\//%2F/g; s/=/%3D/g')
printf 'format=1&key_name=%s&udrpc_message=%s' "$KEY_NAME" "$ENCODED_MSG"
http:
- raw:
- |
GET /wp-content/plugins/updraftplus/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "UpdraftPlus")'
- 'compare_versions(version, "<= 1.26.4")'
condition: and
internal: true
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- "(?i)Stable tag:\\s*([\\d.]+)"
internal: true
https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.phphttps://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.phphttps://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve
2026-06-11
Published
Exploited in the wild