How is CVE-2026-10795 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network, as the vulnerable RPC endpoint is exposed via HTTP. Authentication (not-required): No account or credentials are needed; the vulnerability allows a completely unauthenticated attacker to forge valid-looking RPC commands. Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator on the target site. Attack complexity (info): Exploitation requires the attacker to engineer a crafted message that exploits the predictable all-zero key collapse, introducing moderate environmental conditions, though the decryption behavior is deterministic once understood.

What is the impact of CVE-2026-10795?

A successful attacker can upload and activate an arbitrary plugin, giving them full remote code execution on the WordPress host. The attacker gains read access to all site content, stored credentials, and any secrets held in the WordPress database or filesystem. The attacker can modify or delete site content, database rows, and configuration files, including creating rogue administrator accounts. The attacker can crash or destabilize the WordPress application and any services co-located on the same host.

Back to search

HIGHCVE-2026-10795Published 2026-06-11Modified 2026-06-11CNA Wordfence

CVE-2026-10795: UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

Q: What is CVE-2026-10795?

An authentication bypass vulnerability affects the UpdraftPlus: WP Backup and Migration Plugin for WordPress in all versions up to and including 1.26.4. The flaw lives in the UpdraftCentral remote communications handler, where insufficient validation of message signatures and unchecked decryption return values allow the encryption key to collapse to a predictable all-zero value. An unauthenticated remote attacker can forge arbitrary RPC commands that execute with administrator-level privileges, enabling remote code execution by uploading and activating a malicious plugin. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-10795 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. In the meantime, customers with auto-remediation enabled will see the finding flagged for manual review with compensating-control guidance attached.

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects the UpdraftPlus: WP Backup and Migration Plugin for WordPress in all versions up to and including 1.26.4. The flaw lives in the UpdraftCentral remote communications handler, where insufficient validation of message signatures and unchecked decryption return values allow the encryption key to collapse to a predictable all-zero value. An unauthenticated remote attacker can forge arbitrary RPC commands that execute with administrator-level privileges, enabling remote code execution by uploading and activating a malicious plugin. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-10795 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the UpdraftPlus plugin.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (High) using the published v3.1 vector and can apply per-environment compliance policy weighting to escalate or suppress the alert before routing it to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. In the meantime, customers with auto-remediation enabled will see the finding flagged for manual review with compensating-control guidance attached.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network, as the vulnerable RPC endpoint is exposed via HTTP.
AuthenticationNot required
No account or credentials are needed; the vulnerability allows a completely unauthenticated attacker to forge valid-looking RPC commands.
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator on the target site.
Attack complexityDetail
Exploitation requires the attacker to engineer a crafted message that exploits the predictable all-zero key collapse, introducing moderate environmental conditions, though the decryption behavior is deterministic once understood.

Blast Radius

A successful attacker can upload and activate an arbitrary plugin, giving them full remote code execution on the WordPress host.
The attacker gains read access to all site content, stored credentials, and any secrets held in the WordPress database or filesystem.
The attacker can modify or delete site content, database rows, and configuration files, including creating rogue administrator accounts.
The attacker can crash or destabilize the WordPress application and any services co-located on the same host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10795, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when the UpdraftPlus maintainer publishes a corrected release. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads. While the fix is pending, HarborGuard surfaces the finding with a High severity flag and supports compensating controls such as network-policy rules that restrict external access to the WordPress admin and UpdraftCentral communication endpoints, egress filtering to limit outbound plugin installation requests, and feature-flag or WAF-rule gating on the affected RPC path. Customers should treat any WordPress image bundling UpdraftPlus at or below version 1.26.4 as critically exposed until the upstream patch is available.

See how HarborGuard automates this

Affected packages

davidanderson / UpdraftPlus: WP Backup & Migration Plugin
≤ 1.26.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified