A critical exploit in the UpdraftPlus WordPress plugin, identified as CVE-2026-10795, poses a significant threat to over three million sites due to an authentication bypass vulnerability. Cybersecurity experts have reported ongoing attacks, with almost 5,000 attempts blocked in a single day. The vulnerability allows unauthenticated users to run arbitrary Remote Procedure Calls (RPC) and upload malicious plugins, leading to potential full site compromise.
The flaw results from a cryptographic validation error, leading the system to insecure handling of malformed keys. Developers have released a security patch, and all users are urged to update their UpdraftPlus installations to secure their sites.