216.73.216.170

CVE-2026-10795

· Published 11/06/2026 09:16 · Modified 11/06/2026 14:42 · Author: The MITRE Corporation

Labels: CVE-2026-10795 2026-06-11CVE-2026-10795CWE-347[email protected]

Essential information

Published
11/06/2026 09:16
Modified
11/06/2026 14:42
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CWE-347
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
updraftplus / wp backup and migration plugin cpe:2.3:a:updraftplus:wp_backup_and_migration_plugin:*:*:*:*:*:wordpress:*:*

References