Do Son 
Cybersecurity experts recently identified a massive threat to WordPress websites. Specifically, hackers are actively exploiting a critical UpdraftPlus CVE-2026-10795 vulnerability. This dangerous flaw impacts more than three million active installations worldwide. Furthermore, security researchers observed widespread attacks happening right now. In fact, Wordfence reported blocking “4,987 attacks targeting this vulnerability in the past 24 hours.” Therefore, website administrators must update their systems immediately to prevent total site compromise.
A dedicated security researcher named vtim originally discovered this severe bug. For their responsible disclosure, they earned a generous bounty of $5,200.00. Now, the entire security community is racing to secure vulnerable systems.
Understanding the Authentication Bypass Flaw
The UpdraftPlus plugin provides excellent backup and remote management tools. However, its UpdraftCentral integration contains a severe weakness. The vulnerability triggers when the software processes encrypted remote procedure calls. Consequently, unauthenticated attackers can completely bypass standard security checks. According to the advisory, “this vulnerability allows unauthenticated attackers to run arbitrary Remote Procedure Calls (RPC) as the connected administrator.” As a result, hackers can easily upload malicious plugins directly to the server.
How the Cryptographic Failure Occurs
Developers traced the root cause to a cryptographic validation error. The remote communications library registers an unauthenticated listener on every page load. Subsequently, the system fails to verify a crucial decryption step. If an attacker supplies a malformed key, the software defaults to an insecure state. Specifically, passing a false value “collapses to a deterministic cipher with an all-zero AES-128 key.” Attackers can then encrypt their own malicious commands locally. Next, the vulnerable server accepts these forged messages without requiring authentic keys.
Securing Your WordPress Installation
Ultimately, this UpdraftPlus CVE-2026-10795 issue allows total website takeover. Attackers use the RPC capabilities to trigger the file upload command. This action writes a malicious ZIP file directly to the active disk. Afterward, the system activates the new plugin automatically. Hackers quickly gain arbitrary PHP and operating system command execution.
Fortunately, the development team quickly released a comprehensive security patch. They fixed the broken function by adding a strict return-value check. You must immediately update your UpdraftPlus plugin to the newest patched version. Thus, updating your software remains the absolute best defense against these ongoing, aggressive network attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
