ZeroPath at Black Hat USA 2026

UpdraftPlus CVE-2026-10795: Brief Summary of the Authentication Bypass Threatening 3M+ WordPress Sites

A brief summary of CVE-2026-10795, a CVSS 8.1 authentication bypass in the UpdraftPlus WordPress plugin affecting 3 million+ sites. Covers the dual cryptographic flaw, patch details, detection methods, and confirmed active exploitation.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-10

UpdraftPlus CVE-2026-10795: Brief Summary of the Authentication Bypass Threatening 3M+ WordPress Sites
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A dual cryptographic flaw in the UpdraftPlus WordPress plugin allows unauthenticated attackers to forge signed RPC commands and execute them with administrator privileges, ultimately achieving remote code execution on any of the plugin's 3 million+ active installations. Wordfence confirmed the severity by reporting nearly 8,000 blocked exploitation attempts within the first 24 hours of public disclosure, and the vulnerability has been assigned a CVSS score of 8.1 (High).

UpdraftPlus is the most widely deployed scheduled backup and migration plugin in the WordPress ecosystem. Developed by Team Updraft (a UK based company), it has been available on the WordPress.org repository since 2012 and powers backup workflows for over 3 million sites. Its companion product, UpdraftCentral, provides a centralized dashboard for managing multiple WordPress installations remotely, and it is this remote management RPC layer that contains the vulnerable code.

Technical Information

Vulnerable Component

The vulnerability resides in the UpdraftPlus_Remote_Communications_V2 class, specifically within the wp_loaded function defined in class-udrpc2.php. This file is part of the updraft-rpc library bundled in the plugin's vendor/team-updraft/common-libs/src/ directory. The base class UpdraftPlus_Remote_Communications (in class-udrpc.php) provides foundational encryption, sending, receiving, and decryption methods, while the V2 class extends it with the wp_loaded handler that processes inbound RPC requests during WordPress initialization.

When a WordPress site is connected to an UpdraftCentral dashboard, the RPC listener is registered on every page load. It watches for inbound HTTP POST requests containing a udrpc_message parameter. Under normal operation, these messages are RSA signed and AES encrypted: the dashboard encrypts a symmetric key with the site's RSA public key, then uses that symmetric key to encrypt the RPC command payload. The site decrypts the symmetric key with its private key, then decrypts the payload, and finally verifies the signature before dispatching the command.

The Dual Cryptographic Failure

CVE-2026-10795 exploits two interconnected flaws in this process, classified under CWE-347 (Improper Verification of Cryptographic Signature).

Flaw 1: Signature Verification Bypass. The wp_loaded function performs insufficient validation of the remote communications message format. When an inbound message is received, the code does not properly verify the cryptographic signature that should authenticate the message as originating from a trusted UpdraftCentral dashboard. By crafting a malformed message that exploits gaps in format validation, an attacker can bypass the signature check entirely.

Flaw 2: All Zero Encryption Key Collapse. This is where the vulnerability becomes truly dangerous. In the vulnerable code, the method extracts an RSA encrypted symmetric key from the incoming message, decrypts it via phpseclib's RSA::decrypt(), and immediately feeds the result into Rijndael::setKey() to decrypt the message body:

// Decrypt the encrypted symmetric key $rsa->loadKey($this->key_local); $sym_key = base64_decode($sym_key); $sym_key = $rsa->decrypt($sym_key); // Decrypt the message $rij->setKey($sym_key); return $rij->decrypt($ciphertext);

The critical oversight is that $rsa->decrypt() returns false when decryption fails (for example, when the supplied ciphertext does not match the site's private key) rather than throwing an exception. When false is passed directly to Rijndael::setKey(), phpseclib silently collapses to a deterministic cipher configuration: an all zero AES-128 key with an all zero initialization vector. This is a known, reproducible state that any attacker can trivially replicate locally.

Exploitation Chain

The complete attack flow proceeds as follows:

  1. Target identification. The attacker identifies a WordPress site running UpdraftPlus version 1.26.4 or earlier with the UpdraftCentral RPC endpoint active. The presence of the udrpc_message listener can be inferred from the plugin being installed and connected to UpdraftCentral.

  2. Signature bypass. The attacker crafts a malformed RPC message that exploits the insufficient format validation to bypass signature verification.

  3. Key collapse trigger. The malformed message includes a deliberately garbled RSA encrypted symmetric key block. When the site attempts to decrypt this with its private RSA key, $rsa->decrypt() returns false.

  4. Deterministic key exploitation. Because the false return value is never checked, it flows directly into Rijndael::setKey(), collapsing the AES configuration to the all zero key and IV. The attacker, knowing this will happen, has encrypted their forged RPC command payload using the same all zero key and IV locally.

  5. Command execution. The system decrypts the attacker's payload successfully (since both sides are now using the same deterministic key), accepts it as a valid RPC command, and dispatches it. The UpdraftCentral_Listener::udrpc_action() function calls wp_set_current_user() with the original connecting administrator's user ID, elevating the request to full admin context.

  6. Remote code execution. The attacker forges RPC commands such as plugin.upload_plugin and plugin.activate_plugin to upload and activate a malicious plugin containing a webshell or other backdoor, achieving full remote code execution on the server.

CVSS Vector Breakdown

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the internet
Attack Complexity (AC)HighRequires understanding of the RPC message format and cryptographic behavior
Privileges Required (PR)NoneNo authentication required
User Interaction (UI)NoneNo user action needed
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighFull access to site data
Integrity (I)HighFull modification of site content
Availability (A)HighFull control including site disruption

The High attack complexity reflects the need for an attacker to understand the specific RPC protocol internals and the deterministic all zero key behavior. However, once a working exploit is developed, it can be weaponized and deployed at scale, as confirmed by the thousands of attack attempts already observed.

Patch Information

The UpdraftPlus team released version 1.26.5 (free) and 2.26.5 (premium) on June 5, 2026, to fix CVE-2026-10795. The corresponding code change is tracked in WordPress Plugin Trac changeset 3561938, modifying the file class-udrpc2.php within the bundled updraft-rpc library.

The fix is surgically precise and targets the root cause: a missing return value check in the decrypt_message() method of the UpdraftPlus_Remote_Communications_V2 class. The patch adds a strict guard immediately after the RSA decryption call:

$sym_key = $rsa->decrypt($sym_key); if (false === $sym_key || !is_string($sym_key) || strlen($sym_key) < 16) { return false; } // Decrypt the message $rij->setKey($sym_key); return $rij->decrypt($ciphertext);

The three validation checks each serve a distinct purpose:

  1. false === $sym_key uses strict identity comparison to catch the explicit false return from a failed RSA decryption, which is the primary exploit vector.
  2. !is_string($sym_key) ensures the decrypted value is actually a string, guarding against any other unexpected non-string return types that could cause similar type juggling issues.
  3. strlen($sym_key) < 16 enforces that the decrypted symmetric key is at least 16 bytes (128 bits), the minimum valid AES key length, preventing truncated or degenerate keys from being accepted.

If any of these conditions is true, the function returns false early. This means the upstream RPC listener rejects the forged message entirely; the dispatcher never reaches the point where it would call wp_set_current_user() to elevate the request to an administrator context.

WordPress has also triggered a forced update for the plugin, so sites with automatic updates enabled should receive the patched version automatically. Sites with automatic updates disabled must update manually.

Additional patching notes:

  • For users running UpdraftCentral as a standalone plugin, version 0.8.32 contains the equivalent patch.
  • The vendor released a standalone hotfix plugin (available at teamupdraft.com/wp-content/uploads/updraftplus-hotfix-jun2026.zip) for users unable to immediately upgrade, for example those with expired premium licenses.
  • The AIOS (All In One Security) plugin version 5.4.9 shipped with a firewall rule that blocks exploitation attempts at the WAF level.

Detection Methods

Detecting exploitation of CVE-2026-10795 requires a layered approach that accounts for both the network level attack vector (forged udrpc_message POST requests) and the host level artifacts left by successful compromise. As of this writing, no community maintained open source YARA, Sigma, or Snort/Suricata signatures specific to this CVE have been published. Detection currently depends on commercial WAF rules, manual log analysis, and version based scanning.

Commercial WAF Rules

Wordfence deployed a dedicated firewall rule on June 3, 2026 for Premium, Care, and Response customers. Free tier Wordfence users will receive the same rule on July 3, 2026. The Wordfence Threat Intel dashboard reported blocking 6,790 attacks targeting this vulnerability within a single 24 hour window. Patchstack has also issued its own virtual patching rule for customers of its platform.

Network Level Indicators

The core of this exploit is a crafted HTTP POST request containing a serialized udrpc_message parameter. Defenders should look for:

  • Inbound POST requests containing a udrpc_message parameter directed at any WordPress endpoint. Legitimate UpdraftCentral traffic also uses this parameter, but the volume, origin, and context should differ significantly from exploit traffic.
  • Malformed RSA encrypted key portions within the message. The attack relies on sending a deliberately garbled symmetric key block that causes RSA::decrypt() to return false. Any IDS/IPS capable of deep packet inspection on HTTP POST bodies could be tuned to flag udrpc_message payloads where the encrypted symmetric key section does not conform to expected RSA ciphertext lengths or patterns.
  • Suspicious RPC command sequences. Successful exploitation dispatches RPC commands such as plugin.upload_plugin and plugin.activate_plugin in rapid succession from an unauthenticated source. WAF or reverse proxy log analysis should flag any occurrence of these command strings arriving without a corresponding authenticated WordPress admin session cookie.

Host Level and Log Based Detection

If you suspect a site may have already been compromised through this vector, several host level artifacts can serve as indicators of compromise:

  • Unexpected plugins in /wp-content/plugins/: The canonical exploitation path involves uploading a malicious plugin ZIP via the plugin.upload_plugin RPC command, then activating it with plugin.activate_plugin. Any unfamiliar or recently added plugin directories, particularly those containing webshell like PHP files, should be treated as suspicious.
  • Plugin activations without correlated admin activity: Check the WordPress wp_options table for changes to active_plugins that do not correspond to any legitimate administrator session. If your site has an activity logging plugin, look for activate_plugin events without a preceding dashboard login.
  • UpdraftPlus debug logs: If UpdraftPlus debug logging is enabled, look for entries indicating RSA decryption failures (where $rsa->decrypt() returned false) followed by successful message dispatch. This is the exact signature of the cryptographic bypass in action.
  • Calls to wp_set_current_user() without valid authentication cookies: The exploit chain culminates in the UpdraftCentral_Listener::udrpc_action() function calling wp_set_current_user() with the original connecting admin's user ID, without a legitimate auth cookie being present. Plugins or custom instrumentation that audit user context switches can flag this anomaly.

Version Fingerprinting

The simplest proactive detection is version identification. Any UpdraftPlus installation at version 1.26.4 or earlier that has ever been connected to UpdraftCentral is vulnerable. WordPress vulnerability scanners such as WPScan, Wordfence's built in scanner, and Patchstack's platform can all identify outdated plugin versions.

Affected Systems and Versions

The vulnerability affects the following:

  • UpdraftPlus: WP Backup & Migration Plugin (Free): All versions up to and including 1.26.4. Patched in version 1.26.5.
  • UpdraftPlus Premium: All versions up to and including the premium equivalent of 1.26.4. Patched in version 2.26.5.
  • UpdraftCentral (Standalone Plugin): Affected versions prior to 0.8.32, which contains the equivalent patch.

The vulnerability specifically requires that the UpdraftCentral remote management feature has been connected at some point, as this activates the RPC listener endpoint. Sites running UpdraftPlus purely for local backups without an UpdraftCentral connection have a reduced (though not necessarily zero) attack surface, since the udrpc_message listener registration depends on the presence of stored UpdraftCentral connection keys.

The affected install base exceeds 3 million active WordPress installations according to the WordPress.org plugin repository.

Vendor Security History

UpdraftPlus has a documented history of security vulnerabilities across multiple years:

CVE / VulnerabilityTypeAffected VersionYear
CVE-2026-10795Authentication Bypass via UpdraftCentral udrpc<= 1.26.42026
CVE-2025-0215Reflected XSS via showdata/initiate_restoreNot specified2025
CVE-2024-10957Security Bypass (impacting millions of sites)<= 1.24.112024
Information DisclosureInfo Disclosure via updraft_ajaxrestore<= 1.22.24Prior
CSRFCross Site Request Forgery<= 1.22.24Prior

The pattern of two high severity issues within a 12 month span (CVE-2024-10957 and CVE-2026-10795) suggests systemic weaknesses in the plugin's cryptographic implementation and input validation practices. A previous forced update event for UpdraftPlus in 2022 also indicates that severe security issues have required emergency response before.

To their credit, Team Updraft responded to CVE-2026-10795 with a coordinated disclosure alongside Wordfence, a prompt patch release, and a detailed security advisory urging immediate updates. Security researcher vtim discovered and responsibly disclosed the vulnerability, receiving a $5,200 bug bounty from Wordfence.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization