A signature-verification bypass in UpdraftPlus's UpdraftCentral remote communication layer (CVE-2026-10795, CVSS 8.1) lets unauthenticated attackers forge RPC commands that execute with administrator privileges. Successful exploitation can lead to plugin installation and activation — meaning arbitrary PHP code execution. The flaw was disclosed June 11, 2026 and patched in version 1.26.5. Wordfence reported blocking nearly 5,000 exploitation attempts in a single 24-hour window, confirming active scanning. UpdraftPlus has 3 million+ active installs.

What the Vulnerability Is

UpdraftPlus includes a remote management component called UpdraftCentral, which lets site owners manage their backups from a central dashboard via encrypted RPC messages. The UpdraftPlus_Remote_Communications_V2::wp_loaded function is supposed to verify a cryptographic signature before honoring any RPC command. A flaw in the signature-verification logic allows verification to succeed even with a forged message — specifically, the decryption result can collapse to a predictable all-zero encryption key when signature validation is bypassed. An attacker who knows how the protocol works can craft a valid-looking RPC envelope, skip authentication, and have the command execute on the WordPress site as if it came from a connected administrator. From there, the attacker can install and activate a plugin of their choice — which is effectively arbitrary code execution.

Why It Matters

  • Three million active installs. UpdraftPlus is the most widely used WordPress backup plugin; the attack surface is enormous.
  • Unauthenticated, no user interaction required. Anyone who can make an HTTP request to the site can attempt exploitation.
  • Path to full site takeover. The ability to install and activate plugins means attackers can drop a web shell, create admin accounts, or exfiltrate the entire database.
  • Wordfence blocked 4,987 attempts in 24 hours — attackers moved fast after disclosure.
  • SiteGround force-patched 128,000+ sites automatically, which signals how seriously the hosting community treated this flaw.

Am I Affected?

You are exposed if your WordPress site has UpdraftPlus (free or premium) installed and active, the plugin version is 1.26.4 or earlier, and the UpdraftCentral remote management feature is in use — or the RPC endpoint is reachable, which it is by default (disabling it requires explicit configuration). Check your version under WordPress Dashboard → Plugins → Installed Plugins → UpdraftPlus.

What to Do About It

1. Update UpdraftPlus immediately

From the WordPress admin panel, go to Dashboard → Updates, find UpdraftPlus, and update to 1.26.5 or later. Or via WP-CLI:

wp plugin update updraftplus --allow-root
wp plugin get updraftplus --fields=name,version

Confirm the version shows 1.26.5 or higher.

2. Disable UpdraftCentral if you don't use it

If you don't actively use the UpdraftCentral remote management dashboard, disable the feature to reduce attack surface: WordPress Admin → Settings → UpdraftPlus → Advanced Tools → UpdraftCentral, then toggle off / disconnect all UpdraftCentral connections.

3. Check for unauthorized plugin installations

wp plugin list --fields=name,status,version --format=csv

Look for plugins with recent install dates that you don't recognize.

4. Audit for unauthorized admin accounts

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Flag any administrator accounts created in or after June 2026 that you don't recognize.

5. Review PHP file modifications

find /var/www/html/wp-content/plugins -name "*.php" -newer /var/www/html/wp-config.php -ls
find /var/www/html/wp-content/uploads -name "*.php" -ls

PHP files in /uploads are always suspicious and should be deleted.

6. Check server logs for RPC exploit attempts

grep -i "updraftcentral\|udrpc\|updraft_central" /var/log/nginx/access.log
grep -i "updraftcentral\|udrpc\|updraft_central" /var/log/apache2/access.log

High volumes of POST requests to wp-json/updraftplus/v1/ or similar from unfamiliar IPs warrant investigation.

Quick-Win Checklist

  • Updated UpdraftPlus to ≥ 1.26.5.
  • Disabled UpdraftCentral remote management if not in use.
  • Audited installed plugins for unrecognized additions.
  • Audited administrator accounts for unrecognized users.
  • Scanned wp-content/uploads for PHP files (delete any found).
  • Reviewed server access logs for RPC endpoint hits.

Sources