How Attackers Can Fully Compromise Your WordPress Site Through the UpdraftPlus Plugin

“This vulnerability allows unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator — including uploading and activating a malicious plugin, which leads to remote code execution.” — Wordfence Security Advisory

There’s a category of vulnerability that makes even seasoned security professionals do a double-take. Not because the technology is particularly exotic. It isn’t — but because of the gap between what it takes to exploit it (almost nothing) and what it achieves (everything).

CVE-2026-10795, discovered in the UpdraftPlus, WP Backup & Migration Plugin, sits firmly in that category. An unauthenticated attacker — meaning someone with no WordPress account, no stolen credentials, and no prior access to the target site — can exploit this flaw to execute commands as a site administrator, upload and activate malicious plugins, and ultimately achieve full remote code execution on the web server.

This isn’t a theoretical risk. Within 24 hours of public disclosure, security firms reported blocking nearly 5,000 exploit attempts. The vulnerability is being actively exploited right now, across three million potential targets.

If you run a WordPress site with UpdraftPlus installed, this article tells you everything you need to know: what the vulnerability is, how it works technically, who is affected, what attackers can do with it, and exactly what you need to do to protect yourself.

What is UpdraftPlus — and Why Does Its Popularity Make This So Serious?

UpdraftPlus is one of the most widely installed WordPress plugins in existence. With over 3 million active installations, it ranks among the handful of plugins that have achieved near-ubiquitous adoption across the WordPress ecosystem.

Its popularity stems from the combination of capabilities it provides in a single plugin: scheduled automated backups to a wide range of cloud storage services (including Google Drive, Dropbox, Amazon S3, and others), site restoration tools, and the ability to migrate WordPress installations between servers, hosts, and domains.

For website owners, it solves real, important operational problems. For hosting providers, it’s frequently recommended as a best-practice backup solution.

That popularity is precisely what makes this vulnerability so consequential. A flaw in a plugin installed on 10,000 sites is a security issue. A flaw in a plugin installed on 3 million sites is a security crisis. The attack surface is massive, the target pool is enormous, and the exploitation attempts began almost immediately after disclosure.

The Technical Anatomy of CVE-2026-10795

To understand why this vulnerability is so serious, it helps to understand exactly what it does — and what it was supposed to protect against.

The Remote Communications Feature

UpdraftPlus includes a remote management capability that allows it to communicate with external services — most notably UpdraftCentral, the plugin’s centralised dashboard for managing multiple WordPress sites remotely. This feature lets administrators connect their WordPress installations to an UpdraftCentral account and send management commands remotely.

The remote communications system is implemented in the UpdraftPlus_Remote_Communications_V2 class. When the plugin is active, this class registers a listener that activates on every WordPress page load. When it receives a communication that matches its expected format, it processes the commands contained within that communication and executes them on the WordPress installation.

The entire security model of this system depends on one thing: the plugin correctly verifying that incoming communications are legitimate — that they actually came from an authorised UpdraftCentral account, not from an attacker.

The Cryptographic Failure

The vulnerability is a cryptographic validation error in the wp_loaded function of the UpdraftPlus_Remote_Communications_V2 class. The specific mechanism involves two compounding failures:

1. Signature verification bypass: The code responsible for verifying that an incoming communication has a valid cryptographic signature — proof that it came from an authorised source — can be bypassed. An attacker can send a communication with an invalid or malformed signature, and the validation check fails in a way that doesn’t reject the communication.
2. Deterministic key collapse: When the decryption of the communication fails (as it would with an invalid signature), the code uses the return value of the decryption operation as the encryption key for subsequent processing. However, a failed decryption operation returns a false value. When this false value is used as a key in the AES-128 encryption context, it collapses to a predictable, deterministic key — specifically, all zeros. An all-zero AES-128 key is fully known.

The consequence of these two failures together is devastating: an attacker can pre-encrypt their own malicious commands using the all-zero key (which they know), send those commands with an invalid signature, have the signature check fail silently, watch the plugin decrypt the forged commands using the predictable all-zero key, and then execute those commands — as the connected administrator.

In plain language: the lock on the door is broken in a way that not only fails to keep attackers out, but gives them a copy of the key. An attacker can craft commands that look exactly like legitimate administrator instructions, and the plugin executes them without question.

The Exploit Chain: From Forged Command to Full Takeover

Once an attacker can execute arbitrary commands as the connected administrator, the exploit chain to full site compromise is short:

• The attacker identifies a WordPress site with UpdraftPlus installed and a Migrator key or UpdraftCentral key active. (This active connection is required for the vulnerability to be exploitable.)
• Using the cryptographic weakness, they forge an RPC command instructing WordPress to install and activate a plugin — specifically, a malicious plugin of their choosing.
• The malicious plugin is uploaded and activated. This plugin typically contains a web shell or backdoor that provides persistent access to the server.
• From there, the attacker has remote code execution capability: they can execute arbitrary code on the web server, access databases, exfiltrate data, deface the site, install ransomware, or use the server as a platform for further attacks.

Nearly 5,000 exploit attempts blocked in a single day after disclosure. Active attacks are underway across millions of potential targets.

Who Is Actually Vulnerable?

Not every one of the 3 million UpdraftPlus installations is equally at risk. The vulnerability is specifically exploitable on sites that meet one condition: an active Migrator key or UpdraftCentral key connected to the UpdraftPlus installation.

This condition exists when site owners have used the remote management features — connecting their WordPress site to UpdraftCentral or setting up a Migrator connection for site-to-site migration purposes. Many UpdraftPlus users do exactly this, as remote management and migration are core features of the plugin.

All versions of the plugin up to and including 1.26.4 contain the vulnerability. The patched version is 1.26.5, released by the UpdraftPlus team after the flaw was reported through Wordfence’s coordinated disclosure process on June 2nd, 2026.

Important: “My site might not be affected” is not a safe assumption. If UpdraftPlus is installed and you have ever used UpdraftCentral or a Migrator connection, your site is potentially vulnerable. Update immediately and verify.

What an Attacker Can Do With Successful Exploitation

The practical consequences of a successful exploit aren’t limited to a single bad outcome. Remote code execution — which is the endpoint of this attack chain — gives an attacker essentially unlimited access to the affected server. Common post-exploitation activities include:

• Data theft: Database contents including customer data, payment information, email addresses, and user credentials can be exfiltrated.
• Site defacement: The site’s content can be replaced with the attacker’s messaging.
• Ransomware installation: The server’s files can be encrypted and held for ransom.
• Malware distribution: The site can be repurposed to serve malware to visitors — potentially blacklisting the site from Google and other search engines.
• Spam infrastructure: The server can be used to send spam emails, which can destroy the site’s domain reputation and email deliverability.
• Credential harvesting: Login forms can be modified to capture credentials entered by visitors.
• Botnet participation: The compromised server can become part of a botnet used for further attacks on other targets.
• SEO spam: Malicious redirects and hidden links can be injected to manipulate search rankings — with consequences for the site’s own organic visibility.

From an SEO perspective, the malware injection scenario deserves particular attention. If Google discovers that a site is serving malware or engaging in cloaking (showing different content to crawlers than to users — a common technique used after compromise), it can impose a manual action, remove the site from the search index, or dramatically reduce its visibility. Recovering from a security-related Google penalty is significantly more difficult and time-consuming than recovering from a technical SEO issue.

What You Need to Do Right Now

Step 1: Check Your UpdraftPlus Version Immediately

In your WordPress admin dashboard, navigate to Plugins and find UpdraftPlus: WP Backup & Migration Plugin. Check the version number displayed. If it shows 1.26.4 or earlier, your site is running a vulnerable version.

Step 2: Update to Version 1.26.5 or Later

The update to 1.26.5 is available through the standard WordPress plugin update mechanism. Navigate to Dashboard > Updates, or directly update from the Plugins page. If automatic updates are enabled, verify the update has been applied — don’t assume.

Note: Some hosting providers have already applied automated updates. As of June 10th, 2026, at least one major hosting provider began an automated update procedure for UpdraftPlus installations across their infrastructure. Verify your current version regardless.

Step 3: Audit Your UpdraftPlus Connections

After updating, review your UpdraftPlus settings and identify any active UpdraftCentral or Migrator connections. If you have connections that are no longer needed, remove them. Reducing the attack surface is good practice even after patching.

Step 4: Check for Signs of Prior Compromise

If your site was running a vulnerable version and had an active remote connection, consider whether it may already have been compromised. Indicators to check include:

• Unexpected new plugins or recently activated plugins in the WordPress admin.
• Unexpected new administrator accounts in Users > All Users.
• Unusual file modifications in your hosting file manager or via SFTP (particularly in the wp-content/plugins directory).
• Google Search Console security warnings or manual actions notifications.
• Browser warnings when visiting your site.
• Unusual server resource consumption (CPU, bandwidth, outbound connections).

Step 5: Implement Broader WordPress Security Measures

This vulnerability is a reminder that plugin security is not a one-time concern. Beyond addressing this specific issue:

• Enable automatic updates for plugins, or establish a regular update review schedule.
• Remove unused plugins from your WordPress installation — deactivated plugins that aren’t uninstalled can still be exploited in some scenarios.
• Use a WordPress security plugin with a web application firewall (WAF) that can block exploit attempts even against unpatched vulnerabilities.
• Enable two-factor authentication for all WordPress administrator accounts.
• Restrict wp-admin access by IP address if your usage allows for it.
• Subscribe to WordPress security advisories through services like Wordfence, Patchstack, or WPScan so you’re notified of new vulnerabilities quickly.

Conclusion

The UpdraftPlus vulnerability is not a theoretical risk in a lab environment. It is a critical, actively exploited flaw on a plugin installed on three million websites. The attack requires no credentials, no social engineering, and no sophisticated tooling. The consequences — remote code execution, data theft, site compromise, potential Google blacklisting — are among the most severe outcomes in WordPress security.

The fix is free, available now, and takes minutes to apply. The only variable is whether you apply it before or after an attacker targets your site.

Update UpdraftPlus to version 1.26.5 today.

TAKE THE NEXT STEP WITH THE BRISK DIGITAL

Running WordPress for your business? Security vulnerabilities like this can significantly harm your SEO rankings and damage your online presence quickly.

The Brisk Digital provides WordPress security audits, plugin management, and technical SEO services that keep your site protected and performing.

Don’t wait for a breach to take security seriously.