Kritieke authenticatiefout in UpdraftPlus//Gepubliceerd op 2026-06-10//CVE-2026-10795

WP-FIREWALL BEVEILIGINGSTEAM

UpdraftPlus CVE-2026-10795 Vulnerability

Pluginnaam UpdraftPlus
Type kwetsbaarheid Authentication flaw
CVE-nummer CVE-2026-10795
Urgentie Hoog
CVE-publicatiedatum 2026-06-10
Bron-URL CVE-2026-10795

Urgent: UpdraftPlus (≤ 1.26.4) Broken Authentication via UpdraftCentral ‘udrpc’ — What Every WordPress Owner Must Do Now

Auteur: WP‑Firewall Beveiligingsteam
Datum: 2026-06-10
Trefwoorden: wordpress, security, updraftplus, wafu, vulnerability, incident-response

Samenvatting: A high‑severity broken authentication vulnerability (CVE‑2026‑10795, CVSS 8.1) affecting UpdraftPlus-related UpdraftCentral functionality (udrpc) allows unauthenticated attackers to bypass authentication and perform privileged actions on sites using vulnerable versions (≤ 1.26.4). This advisory explains the risk, how the issue is typically abused, how to detect attacks, short‑term mitigations (including virtual patching via WP‑Firewall), and the recommended long‑term remediation steps.

Inhoudsopgave

  • Samenvatting
  • Waarom deze kwetsbaarheid gevaarlijk is
  • Technisch overzicht (niet-exploitatief)
  • Common attack vectors and real-world scenarios
  • How to quickly detect if your site was targeted or compromised
  • Immediate mitigation steps (apply within minutes)
  • Virtual patching and WAF rules you can deploy now
  • Full remediation: safe update and post‑update checks
  • Incident response checklist (if compromised)
  • Aanbevelingen voor verhoging van de beveiliging om toekomstige risico's te verminderen
  • Veelgestelde vragen
  • WP‑Firewall free plan — a practical way to add protection now
  • Laatste opmerkingen en bronnen

Samenvatting

A broken authentication vulnerability in the UpdraftPlus ecosystem (identified as CVE‑2026‑10795) allows unauthenticated requests to bypass expected authentication checks in the UpdraftCentral/udrpc interface. Because of the privileged nature of the Updraft capabilities (backup, restore, migration, remote control endpoints), successful exploitation can enable attackers to perform actions that normally require administrative privileges, including but not limited to executing backup/restore routines, creating admin accounts via integration flows, or exfiltrating site data.

If your site runs UpdraftPlus or any related UpdraftCentral components and the plugin version is ≤ 1.26.4, treat the risk as immediate: update or virtually patch now.

Waarom deze kwetsbaarheid gevaarlijk is

  • Niet-geverifieerd: The vulnerability does not require an attacker to be logged in. Remote attackers can reach the vulnerable endpoint via normal HTTP(S) requests.
  • Privilege escalation / Bypass: The issue bypasses authentication checks, enabling attacker-controlled actions that would normally be restricted to administrators.
  • Automatiseringsvriendelijk: The vulnerability can be probed and exploited at scale with simple HTTP tooling, making it an attractive target for mass exploitation campaigns.
  • Backup/restore vector: Components related to backups and remote control can expose sensitive data or give attackers pathways to write files, inject options, or run processes that persist access.

Because the vulnerability is exposed over web requests and affects a very popular backup/migration plugin, it is categorized as high priority for immediate mitigation.

Technical overview (high level, non‑exploitative)

  • Betrokken onderdeel: UpdraftPlus plugin and specifically UpdraftCentral-related RPC (referred to as “udrpc” in internal endpoints).
  • Betrokken versies: UpdraftPlus (and/or UpdraftCentral integrator) versions up to and including 1.26.4.
  • Gepatchte versie: 1.26.5 (upgrade to this version or later to permanently remediate).
  • Core issue: Broken authentication / improper verification of request authenticity in an RPC endpoint. The endpoint accepts or processes requests that should require validated credentials or a nonce but are not properly verified.
  • Aanvalsvlak: Publicly reachable URL(s) exposing the udRPC functionality (HTTP POST/GET handlers that accept commands/parameters).

Note: We are intentionally not publishing step-by-step exploit code. Our objective is to empower defenders to detect and mitigate without accelerating attack automation.

Common attack vectors and real‑world scenarios

Attackers will generally follow patterns like these:

  1. Ontdekking
    • Scan for sites with UpdraftPlus installed (common with plugin enumeration or known plugin file locations).
    • Probe for URLs that include strings such as “udrpc”, “updraftcentral”, or patterns consistent with remote RPC endpoints.
  2. Authenticatie-omleiding
    • Send crafted requests to the udRPC endpoint designed to trigger code paths that skip authentication or mis-handle auth tokens/nonce checks.
  3. Privileged action
    • Once a bypass is achieved, attackers can attempt actions like:
      • Triggering backups and exfiltrating the resulting archive (if accessible).
      • Triggering restores that override content or upload attacker files.
      • Creating or modifying configuration entries to add a backdoor admin or persistent option.
      • Executing downstream operations via integration hooks.
  4. Persistentie en laterale beweging
    • Install backdoors, create admin users, or add scheduled tasks to retain access.
    • Move laterally to other integrators or connected services.

Because this vulnerability enables unauthorized actions, even reconnaissance probes should be treated as malicious and logged for follow-up.

How to quickly detect if your site was targeted or compromised

Signs of targeting or exploitation:

  • Unusual POST requests to endpoints containing “udrpc”, “updraftcentral”, “updraft”, or unexpected RPC-like parameters in access logs.
  • Requests from unusual user agents or mass scanning IPs, often in bursts.
  • Suddenly created admin users or changes to user roles.
  • Unexpected backups generated around suspicious times, or backup files appearing in wp-content/uploads/updraft (or other backup locations) that you didn’t trigger.
  • Files modified/created by WordPress that you do not recognize, especially under plugin or uploads directories.
  • Unusual outgoing network connections to unknown hosts originated by your site (check network logs if available).

Log checks to run immediately (examples):

  • Search webserver logs for “udrpc”, “updraftcentral”, or similar strings.
  • Search POST requests to wp-admin/admin‑ajax.php that contain parameters related to Updraft or UpdraftCentral.
  • Review WordPress user list for unexpected admin accounts:
    • wp_users table: unexpected user rows
    • wp_usermeta: capabilities and roles tampering.
  • Check modification times of plugin files and upload directories.

If you find evidence of suspicious activity, follow the incident response checklist below.

Immediate mitigation steps (apply within minutes)

If you cannot update the plugin right now, do the following immediately:

  1. Block public access to the udRPC endpoint
    • Use your WAF, server firewall, or webserver configuration to block requests containing “udrpc” or “updraftcentral” in the URL or POST body unless the request originates from a trusted IP.
  2. Beperk de toegang tot plugin-adminpagina's
    • Restrict access to UpdraftPlus admin pages and plugin directories (via IP allowlist for administrators).
  3. Deactiveer de plugin tijdelijk
    • If blocking isn’t possible or you suspect compromise, deactivate UpdraftPlus until you can safely update.
  4. Change admin passwords and rotate secrets
    • Rotate WordPress administrator passwords, database credentials (if compromise suspected), and any API keys used by integration services.
  5. Enable enhanced logging and alerting
    • Turn on detailed logging of suspicious endpoints and alert on new admin user creation or changes.

These measures help reduce exposure while you prepare a full remediation.

Virtual patching and WAF rules you can deploy now

If you have a web application firewall (WAF) — including WP‑Firewall — you can deploy virtual patches that block exploit attempts at the HTTP layer. Virtual patching buys you time while you plan updates and incident response.

Recommended WAF approaches

  • Block by URL pattern
    • Deny requests where REQUEST_URI or REQUEST_BODY matches case-insensitive patterns like:
      • udRPC
      • updraftcentral
      • updraft
    • Example ModSecurity-style rule (template): 
      SecRule REQUEST_URI|ARGS|REQUEST_HEADERS "@rx (?i)(udrpc|updraftcentral|updraft)" 
  "id:100001,phase:1,deny,status:403,msg:'Block suspected Updraft udRPC access',log"
    • Note: Use conservative rules that do not break legitimate admin workflows. Whitelist known admin IPs if needed.
  • Require valid WordPress nonces and cookies
    • Block requests to RPC endpoints unless accompanied by a valid logged-in cookie or a validated nonce parameter. If a request has no authentication cookie and attempts to call RPC action names associated with Updraft, deny.
  • Block suspicious content types and encodings
    • Deny requests with strange content encodings, or POSTs that include base64 blobs aimed to pass serialized data.
  • Rate‑limit and reputation controls
    • Rate-limit requests to the endpoints. Block IPs with scanning patterns.
  • Geo/IP allowlisting
    • If your admins operate from a small set of known IP ranges, restrict access to plugin sensitive endpoints to those IPs.
  • Monitor for indicators
    • Create an alert for any blocked requests so you can investigate potential probing activity.

WP‑Firewall customers: we have released a mitigation rule to block common exploit patterns for this issue and actively monitor attempts across our network. If you need help enabling virtual patching for multiple sites, our platform can apply rules centrally.

Example ModSecurity rules and nginx snippet (templates)

Use these as starting points; tailor to your environment and test on staging before production.

ModSecurity (recommended, test before deploy):

# Block suspicious udRPC access (case-insensitive)
SecRule REQUEST_URI|ARGS|REQUEST_HEADERS "@rx (?i)(udrpc|updraftcentral)" 
  "id:100500,phase:1,deny,log,status:403,msg:'Block potential Updraft udRPC probing/exploit'"

# Extra: prevent unauthenticated POSTs to udRPC-like endpoints
SecRule REQUEST_METHOD "POST" "chain,phase:1,deny,id:100501,msg:'Block unauthenticated POST to udRPC-like endpoint'"
  SecRule REQUEST_URI "@rx (?i)(udrpc|updraftcentral|updraft)" 
    "chain"
  SecRule &REQUEST_HEADERS:Cookie "@eq 0"

nginx (simple blocking by URL):

location ~* /(?:(?:udrpc)|(?:updraftcentral)|(?:updraft)) {
    return 403;
}

Belangrijk: these are aggressive and may block legitimate operations if you use UpdraftCentral legitimately. Use IP whitelists or allow specific admin IPs for safe administrative access.

Full remediation: update, verify and harden

  1. De plug-in bijwerken
    • Update UpdraftPlus and any UpdraftCentral integrations to version 1.26.5 or later. This is the definitive fix.
    • Always test updates on a staging site where possible before production.
  2. Verify integrity of files
    • Compare plugin files against a known-good copy (download the plugin package from the official plugin repository).
    • Look for recently modified files with suspicious content (web shells, eval(base64_decode(…)), unknown PHP files).
  3. Wijzig inloggegevens en roteer sleutels
    • Change admin passwords, reset API keys used by backups or external services, and rotate database credentials if you suspect a compromise.
  4. Verwijder ongeautoriseerde accounts
    • Check wp_users and wp_usermeta for unexpected accounts or role changes and remove or demote any unauthorized users.
  5. Inspect backups and restore safely
    • If backups were triggered or created during a suspected exploit window, handle them as evidence. Do not restore infected backups without cleaning them first.
  6. Scan opnieuw op malware
    • Run a full site malware scan (file and database) with tools you trust. If possible, have a second security expert audit the site.
  7. Heractiveer diensten
    • After confirming a clean state, re-enable any temporarily disabled plugins and remove temporary firewall blocks, limiting them to a minimum necessary policy.

Als je een compromis ontdekt — checklist voor incidentrespons

If your forensic review indicates compromise, follow a structured incident response:

  1. Isoleren
    • Put the site into maintenance mode or block traffic at the firewall. Prevent further attacker access.
  2. Bewijsbehoud
    • Preserve logs (webserver, WAF, database logs). Make read-only copies for investigation.
  3. Toepassingsgebied bepalen
    • Determine which accounts, files, and systems were changed. Check database and uploads folders.
  4. Uitroeiing
    • Remove web shells, unauthorized plugins/themes, and backdoors.
    • Replace modified core/plugin files from a trusted source.
  5. Herstellen
    • Restore from a clean backup or rebuild from a clean codebase. Rotate credentials once the site is clean.
  6. Monitoren en leren
    • Keep the site in a heightened monitoring state. Implement stricter policies, two-factor authentication, and continuous scanning.
  7. Belanghebbenden op de hoogte stellen
    • Inform site owners, customers, or affected individuals as required by policy or regulation.

If the compromise extends beyond a single site (e.g., within a hosting environment or across multiple managed sites), coordinate with your host or security provider to contain and remediate.

Aanbevelingen voor verhoging van de beveiliging om toekomstige risico's te verminderen

  • Keep WordPress core, themes, and plugins updated, and apply updates in a controlled staging->production flow.
  • Minimize plugin footprint: remove unused or redundant plugins.
  • Use role minimization: only grant admin privileges to trusted users.
  • Use strong passwords and enable two‑factor authentication for all admin users.
  • Limit access to wp-admin and critical plugin endpoints via IP allowlisting when possible.
  • Use a WAF and enable virtual patching for high‑risk vulnerabilities.
  • Monitor logs centrally and set alerts for unexpected admin actions (new admin account creation, plugin install/removal).
  • Regularly test backups by performing restores in staging environments.
  • Use principle of least privilege for database users and file permissions.

Veelgestelde vragen

Q: If I update to 1.26.5, am I fully safe?
A: Updating to the patched version addresses the specific vulnerability and is the definitive fix. After updating, follow the verification steps above to ensure no persistence remains from prior exploitation.

Q: My host provides auto-updates. Is that enough?
A: Auto-updates reduce risk, but you must still verify that the update succeeded and scan your site for any signs of compromise that occurred prior to the update.

Q: Should I disable UpdraftPlus until I can update?
A: If you cannot apply the patch or virtual patch immediately, temporarily deactivate the plugin. Deactivation prevents the vulnerable code from running.

Q: Can attackers exfiltrate backups?
A: Yes — if attackers can trigger backups and then retrieve them, sensitive files and database dumps could be exfiltrated. That’s a core reason to treat this vulnerability as high risk.

WP‑Firewall free protection plan — Protect your site now

Fast, essential protection for every WordPress site

If you’re looking to quickly reduce risk while you update plugins and perform forensic checks, consider adding an additional layer of protection with WP‑Firewall. Our Basic (Free) plan gives your site essential managed firewall protection tailored for WordPress:

  • Beheerde firewall met OWASP Top 10 mitigaties
  • Web Application Firewall (WAF) rules that can block known exploit patterns
  • Unlimited bandwidth and malware scanning to help spot suspicious files
  • Centralized rule deployment so you can apply virtual patches without changing site code

Sign up for the Basic (Free) plan now to get immediate virtual protection while you update UpdraftPlus: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

(If you need automated removal, custom IP allowlisting, or continuous virtual patching at scale, evaluate our paid plans which include automatic malware removal, monthly security reports, and auto vulnerability virtual patching.)

Laatste opmerkingen en volgende stappen

  • Immediate action: Update UpdraftPlus to version 1.26.5 or later as soon as possible.
  • If you cannot update immediately, implement virtual patching (block udRPC-like access), restrict plugin pages to admin IPs, or temporarily deactivate the plugin.
  • Monitor logs for probing activity and indicators like “udrpc” requests.
  • If you suspect compromise, follow the incident response checklist and treat backups created during the compromise window as potentially tainted.

We at WP‑Firewall are monitoring attack patterns related to this issue and have released mitigation rules that can be applied instantly. If you manage multiple sites, centralized virtual patching and monitoring can dramatically reduce the time your assets are exposed.

For help enabling virtual patching, deploying the recommended WAF rules, or performing a compromise assessment, contact your security team or reach out to the WP‑Firewall support channel in your dashboard.

Stay safe and prioritize patching — this one is urgent.

— WP‑Firewall Security Team

Referenties en bronnen

  • CVE: CVE‑2026‑10795
  • UpdraftPlus patched release: 1.26.5 (apply immediately)
  • General WordPress incident handling guidance (follow the steps in this advisory)
wordpress security update banner

Ontvang WP Security Weekly gratis 👋
Meld je nu aan!!

Meld u aan en ontvang wekelijks de WordPress-beveiligingsupdate in uw inbox.

Wij spammen niet! Lees onze privacybeleid voor meer informatie.

Neem contact met ons op om een gratis WordPress-beveiligingsconsult in te plannen

Neem contact met ons op

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hongkong

Functies Prijzen Blog Login
Privacybeleid Servicevoorwaarden Documenten Partner

© 2026 WP-Firewall™