CVE-2026-10795
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
The UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to Authentication Bypass in all versions up to and including 1.26.4. This is due to insufficient validation of the remote communications message format, allowing signature verification to be bypassed.
Risk Assessment
Unauthenticated attackers can forge arbitrary RPC commands and run them as the connected administrator, potentially leading to remote code execution.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and to monitor the system for unauthorized activities.
Original NVD description (English source)
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

