Disclosed June 13, CVE-2026-10795 (CVSS 8.1) hits UpdraftPlus, one of WordPress''s most ubiquitous backup plugins, affected versions ≤ 1.26.4, on over 3 million sites. It''s an authentication bypass leading to RCE: an unauthenticated attacker forges remote-communication commands, runs them as the connected administrator, and uploads a malicious plugin to take over the site. Not password-guessing — broken signature verification plus a predictable all-zero key lets anyone impersonate the owner. For WordPress-building teams, this is the one to handle this week.
In plain language: UpdraftPlus has a remote-communications protocol; the signature verification logic is flawed and the encryption key in some cases decrypts to all zeros. Together, an attacker with no credentials forges a verified RPC command. The chain: forge command → upload malicious plugin as admin → activate → RCE. Unlike login-required bugs, this is unauthenticated.
Blast radius: 3M+ installs, and WordPress powers about 43% of all websites. Not yet on CISA KEV, but treat as KEV-equivalent — the huge base plus unauthenticated RCE invites rapid scanning.
Technical Details
- Type: Authentication Bypass (CWE-287) → RCE.
- Root cause: flawed remote-comms signature verification + decrypt-to-zero predictable key.
- Preconditions: UpdraftPlus ≤ 1.26.4 with remote comms reachable; no login, no interaction.
- PoC: details surfacing; expect rapid weaponization.
Immediate Actions
- Sysadmins: upgrade to ≥ 1.26.4 now; WAF-block unauthorized POSTs to the remote-comms endpoint; check unexpected admins, recent plugins, file changes.
- Developers: full malware scan; compare plugin file hashes; review wp-content/plugins modification times.
- Agencies: notify clients via template; fold plugin security updates into retainers.
Patch vs Mitigation
| Scenario | Immediate Patch | If You Can't Patch Yet |
|---|---|---|
| General site | Upgrade ≥ 1.26.4 | WAF-block unauthorized remote-comms requests |
| Can't update now | — | Deactivate UpdraftPlus; use server-level backups |
| Suspected breach | Patch then investigate | Isolate, rotate keys/passwords, restore clean backup |
IOCs & Threat Intel
- Unexpected new admin accounts (check wp_users and creation times).
- Unknown plugin dirs or tampered PHP files in wp-content/plugins.
- Outbound C2 connections; common webshell filenames (e.g., wp-conf.php).
- High volume of unauthorized POSTs to the remote-comms endpoint.
What They Won't Tell You
- "Patch and you''re fine" is an illusion: if hit before updating, backdoor accounts and webshells won''t vanish — investigate separately.
- Many sites run UpdraftPlus install-and-forget, a year stale — the real risk is not knowing which client sites run old plugins.
The Bigger Trend
The WordPress plugin supply chain is a primary battlefield: breach one plugin, breach millions at once. Disclosure-to-exploitation keeps compressing; monthly checks no longer cut it — security updates need a 24–48h cadence. SecOps shifts from "patch my server" to "centralized updates and monitoring across a fleet."
FAQ
How do I check which client sites run UpdraftPlus fast?
Search the plugins list, or run wp plugin list --status=active via WP-CLI; for many sites use ManageWP or MainWP.
After upgrading, what else makes it safe?
Scan for malware, check admin accounts, verify file integrity. If any check fails, treat as breached — isolate, rotate keys, restore clean backup.
Does it need the attacker to log in first?
No. It''s unauthenticated; scanners that find an old-version site can hit it directly.
My Take
The mainstream says "just turn on auto-updates." My take: for agencies that''s risky — major updates break compatibility and can down a site at 2am. Run a tiered policy: security fixes on a fast lane, verified within 24h; major updates through staging. ScriptWalker takeaway: package "plugin security audit + tiered updates" as a priced retainer clause — this CVE is the perfect sales argument.