PatchSiren cyber security CVE debrief
CVE-2026-10795 davidanderson CVE debrief
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
- Vendor
- davidanderson
- Product
- UpdraftPlus: WP Backup & Migration Plugin
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of the UpdraftPlus: WP Backup & Migration Plugin for WordPress, particularly those with versions up to and including 1.26.4, should update to a patched version as soon as possible to prevent potential authentication bypass attacks.
Technical summary
The vulnerability exists in the UpdraftPlus_Remote_Communications_V2::wp_loaded function, where the plugin fails to properly validate the remote communications message format. This allows attackers to bypass signature verification and use a predictable encryption key, enabling them to forge and execute arbitrary RPC commands as an administrator.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of the UpdraftPlus: WP Backup & Migration Plugin (version greater than 1.26.4) as soon as possible.
- Review and monitor plugin updates and security advisories from the vendor.
- Consider implementing additional security measures, such as two-factor authentication and monitoring for suspicious activity.
Evidence notes
The CVE record and details were obtained from the official CVE.org and NVD sources.
Official resources
CVE-2026-10795 was published on 2026-06-11T07:16:26.713Z and modified on 2026-06-11T14:42:47.007Z.