EXECUTIVE SUMMARY:
CVE-2026-10795 with a CVSS score of 8.1 is a critical authentication bypass vulnerability affecting the UpdraftPlus backup plugin for WordPress, specifically any version released before the security patch that addressed the flaw. The issue resides in the UpdraftCentral integration where the plugin processes encrypted remote procedure calls (RPC) without properly verifying decryption keys; a malformed key collapses the AES‑128 cipher to an all‑zero key, allowing unauthenticated parties to craft forged messages that the server accepts as legitimate. An attacker can exploit this by sending a specially crafted RPC payload over the network—no prior authentication or privileged access is required—as long as the target site runs the vulnerable plugin and the remote RPC endpoint is reachable. Successful exploitation grants the attacker the ability to execute arbitrary RPC commands as the connected administrator, including uploading malicious plugin packages that are automatically installed, leading to full PHP and operating‑system command execution. The business impact ranges from complete website takeover, data exfiltration, and service disruption to reputational damage and potential regulatory penalties, especially for sites handling sensitive user information. Exploitation is contingent on the target exposing the UpdraftCentral RPC interface and the presence of the vulnerable plugin version.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-10795 with a CVSS score of 8.1 is a critical authentication bypass vulnerability affecting the UpdraftPlus backup plugin for WordPress, specifically any version released before the security patch that addressed the flaw. The issue resides in the UpdraftCentral integration where the plugin processes encrypted remote procedure calls (RPC) without properly verifying decryption keys; a malformed key collapses the AES‑128 cipher to an all‑zero key, allowing unauthenticated parties to craft forged messages that the server accepts as legitimate. An attacker can exploit this by sending a specially crafted RPC payload over the network—no prior authentication or privileged access is required—as long as the target site runs the vulnerable plugin and the remote RPC endpoint is reachable. Successful exploitation grants the attacker the ability to execute arbitrary RPC commands as the connected administrator, including uploading malicious plugin packages that are automatically installed, leading to full PHP and operating‑system command execution. The business impact ranges from complete website takeover, data exfiltration, and service disruption to reputational damage and potential regulatory penalties, especially for sites handling sensitive user information. Exploitation is contingent on the target exposing the UpdraftCentral RPC interface and the presence of the vulnerable plugin version.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/updraftplus-cve-2026-10795-exploit/