Skip to content
jproxx
de en
← Back to the blog

Security advisory: critical UpdraftPlus flaw (CVE-2026-10795) — check and update WordPress now

22 June 2026 · jproxx Security

A critical vulnerability has been disclosed in UpdraftPlus, one of the most widely used WordPress backup plugins (over 3 million active installations): CVE-2026-10795. It is already being actively exploited. If you run WordPress with UpdraftPlus, you should act now.

What is affected?

  • Plugin: UpdraftPlus: WP Backup & Migration
  • Affected versions: all versions up to and including 1.26.4 (free), or Premium before 2.26.5
  • Fixed in: 1.26.5 (Premium 2.26.5)
  • Rating: authentication bypass, CVSS 8.1 (high/critical)

The flaw is especially relevant for sites with an active Migrator or UpdraftCentral key (UpdraftCentral remote management).

Why it is so dangerous

The vulnerability sits in the UpdraftCentral remote communication (UDRPC). A flawed signature check allows the authentication to be bypassed — an attacker needs no user account. As a result, unauthenticated attackers can run commands as an administrator, for example uploading and activating a malicious plugin. This leads to remote code execution and therefore full takeover of the website.

The flaw is being exploited in the wild: Wordfence reported blocking around 4,987 attack attempts within 24 hours.

What you should do now

  1. Update immediately — bring UpdraftPlus to version 1.26.5 or higher.
  2. Check for signs of compromise if you were running a vulnerable version:
    • unexpected administrator accounts in WordPress,
    • recently modified PHP files outside the usual plugin directories,
    • unfamiliar entries in the WordPress cron (scheduled tasks),
    • anomalies in the access logs referencing the remote-communications library.
  3. If in doubt: temporarily deactivate the plugin or remove the UpdraftCentral/Migrator key until the update is in place.

Are you a jproxx Managed WordPress customer?

For our Managed WordPress plans we handle updates and security patches. We track critical vulnerabilities like this one and roll out the update. If you’re unsure whether your installation is already on 1.26.5+, or need help checking for compromise, get in touch — we’ll review it together.

Sources: Wordfence / NVD / GitHub Advisory Database (CVE-2026-10795). This information is provided for security awareness; the official UpdraftPlus advisory and your security/hosting solution are authoritative.