cbcvebase.
CVE-2026-10795
published 2026-06-11

CVE-2026-10795: The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the…

PriorityP183high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.58%
87.9th percentile
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
davidandersonupdraftplus_wp_backup_migration_plugin<= 1.26.4

Detection & IOCsextracted from sources · hover to see the quote

domaintidio[.]cc
ip84.201.6.54
urltidio.cc/cdn-cgi/
pathwp-content/plugins/content-delivery-helper
pathwp-content/plugins/database-optimizer
filenamepushengage-web-sdk.js
filenamepushengage-subscription.js
domainclientcdn.pushengage.com
path/wp-content/plugins/updraftplus/readme.txt
otherdeveloper_api1
commandPOST / HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded ... format=1&key_name=%s&udrpc_message=%s
  • Scan wp-content/plugins on disk for hidden plugin folders 'content-delivery-helper' or 'database-optimizer' — these do not appear in the WordPress dashboard and indicate active backdoor installation.
  • Review web server access logs from June 12–14 UTC for outbound POST/GET requests to tidio.cc (especially /cdn-cgi/ paths) and connections to 84.201.6.54, which indicate successful exploitation and data exfiltration.
  • Check WordPress user accounts for 'developer_api1' or accounts matching the pattern 'dev_xxxxxx' — these are attacker-created admin accounts used for persistent access.
  • The exploit targets UpdraftPlus <= 1.26.4 via a crafted POST to the site root with parameters 'format=1', 'key_name', and 'udrpc_message'. Detect exploitation attempts by monitoring for POST requests with these parameters where the response body contains 'udrpc_message'.
  • The authentication bypass works by forging the UDRPC message format: a crafted message with an RSA-encrypted block and ciphertext block collapses to an all-zero encryption key, bypassing signature verification. Monitor for unauthenticated POST requests to WordPress sites running UpdraftPlus with 'udrpc_message' in the body.
  • The malicious script payload only executes when a WordPress administrator is logged in. Detection on the server side (filesystem and log review) is required — the backdoor is designed to be invisible from the WordPress admin dashboard.
  • Version fingerprinting: probe /wp-content/plugins/updraftplus/readme.txt and extract 'Stable tag' version. Flag any site running UpdraftPlus <= 1.26.4 as vulnerable to CVE-2026-10795.
  • ·The entry point for the broader supply-chain attack (CDN tampering of PushEngage/OptinMonster/TrustPulse) is unconfirmed. PushEngage attributes it to CVE-2026-10795 exploitation on their marketing server, but Sansec considers the breached system still unknown.
  • ·The exposure window differed per plugin: OptinMonster and TrustPulse were exposed for ~25 minutes on June 12 (22:17–22:42 UTC); PushEngage's exposure ran for several hours on June 12 and into June 14. Scope your log review accordingly.
  • ·Removing the named malicious plugin and rogue admin account may be insufficient — the attacker had arbitrary code execution and may have planted additional backdoors. Full credential rotation and server-side forensic scanning are required.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.