What is the CVSS score of CVE-2026-10795?

CVE-2026-10795 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of UpdraftPlus are affected by CVE-2026-10795?

UpdraftPlus, a backup plugin installed on thousands of WordPress sites, contains an unauthenticated remote code execution vulnerability (CVE-2026-10795) that allows attackers to upload and activate…

Is there a public PoC exploit available for CVE-2026-10795?

Yes, a public proof-of-concept exploit is available for CVE-2026-10795. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-10795?

Within 24 hours: Inventory all WordPress environments for UpdraftPlus versions ≤1.26.4 and implement emergency WAF/firewall rules restricting unauthenticated access to WordPress admin endpoints. Within 7 days: Check vendor advisory for patch release to version 1.26.5+; if unavailable, disable UpdraftPlus and activate alternative backup solution. Within 30 days: Complete transition to replacement backup tool and remove UpdraftPlus from all production WordPress instances.

UpdraftPlus CVE-2026-10795

EUVD-2026-36215 HIGH

Improper Verification of Cryptographic Signature (CWE-347)

2026-06-11 Wordfence

GHSA-hc7f-qwfj-7fcf

Jwt Attack Authentication Bypass WordPress RCE

8.1

CVSS 3.1 · NVD

Severity by source

Vendor (Wordfence) PRIMARY

HIGH

qualitative

NVD

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Internet-reachable plugin endpoint with no auth or user interaction (AV:N/PR:N/UI:N); AC:H because forging the udrpc envelope to trigger the silent-decryption-failure path is non-trivial; full RCE gives C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 11, 2026 - 07:03 vuln.today

CVE Published

Jun 11, 2026 - 05:34 cve.org

HIGH 8.1

DescriptionNVD

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

Articles & Coverage 1

News 3 New WordPress Vulnerabilities - 1 Critical, 2 High Severity Jun 12, 2026

AnalysisAI

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running UpdraftPlus ≤1.26.4

Delivery

Craft udrpc message forcing decryption failure

Exploit

Re-encrypt payload under all-zero key

Install

POST forged RPC to plugin handler

Invoke upload_plugin and activate_plugin as admin

Execute

Execute attacker PHP as WordPress process

Impact

Establish persistent webshell on host

Recon

Identify WordPress site running UpdraftPlus ≤1.26.4

Delivery

Craft udrpc message forcing decryption failure

Exploit

Re-encrypt payload under all-zero key

Install

POST forged RPC to plugin handler

Invoke upload_plugin and activate_plugin as admin

Execute

Execute attacker PHP as WordPress process

Impact

Establish persistent webshell on host

Vulnerability AssessmentAI

Exploitation	Target WordPress site must have UpdraftPlus ≤1.26.4 installed and active, with the UpdraftPlus_Remote_Communications_V2 RPC endpoint reachable over HTTP(S) (the default once the plugin is installed, regardless of whether the site is actively connected to UpdraftCentral). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 8.1 vector (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H) correctly captures unauthenticated network exploitation with high impact, with AC:H reflecting the cryptographic-bypass craft required to construct the forged RPC envelope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the internet for WordPress sites running UpdraftPlus ≤1.26.4, then sends a crafted POST to the site containing a udrpc message whose signature and ciphertext are constructed so that decryption silently fails and the handler falls back to the all-zero key the attacker also used to encrypt the payload. The forged RPC issues an `upload_plugin` followed by `activate_plugin`, dropping a webshell-bearing plugin that runs as the WordPress PHP user; no public exploit is identified at time of analysis, but the patched-source diff plus Wordfence write-up provide enough detail for rapid weaponization.
Remediation	Upgrade UpdraftPlus to the version released after 1.26.4 that contains the udrpc2 fix landed in WordPress plugin changeset 3561938 (https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php); the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve should be consulted for the exact fixed release number, since the input data confirms an upstream fix but does not state a tagged patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress environments for UpdraftPlus versions ≤1.26.4 and implement emergency WAF/firewall rules restricting unauthenticated access to WordPress admin endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48558 CRITICAL Act Now POC

9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2026-41005 CRITICAL Act Now

9.0 Jun 11

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot

CVE-2026-50010 HIGH This Week

7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild

CVE-2026-50634 MEDIUM This Month

6.5 Jun 11

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-s

CVE-2026-42743 MEDIUM This Month

6.5 Jun 15

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si

CVE-2026-10795 vulnerability details – vuln.today

Back

UpdraftPlus CVE-2026-10795

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code