On June 2nd, 2026, we received a submission for a critical Unauthenticated Authentication Bypass vulnerability in UpdraftPlus, a WordPress plugin with more than 3 million active installations. Although the plugin has such a large install base, the vulnerability is only exploitable on sites that have previously been connected to UpdraftCentral, the plugin’s remote site management dashboard. On affected sites, this vulnerability allows unauthenticated attackers to run arbitrary Remote Procedure Calls (RPC) as the connected administrator, for example, uploading and activating a malicious plugin, resulting in arbitrary PHP code execution and complete site compromise.
Props to vtim who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $5,200.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 3, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on July 3, 2026.
We provided full disclosure details to the UpdraftPlus team through our Wordfence Vulnerability Management Portal on June 3, 2026. The developer acknowledged the report on June 4, 2026, and released the fully patched version on June 5, 2026. We would like to commend the UpdraftPlus team for their prompt response and timely patch.
We urge users to update their sites to the latest patched version of UpdraftPlus as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Technical Analysis
UpdraftPlus is a popular WordPress plugin for creating backups, as well as migration, and remote site management. It optionally integrates with UpdraftCentral, a centralized site management dashboard available both as a hosted cloud service and as a self-hosted product, allowing administrators to manage multiple WordPress sites from a single interface.
To support this integration, UpdraftPlus bundles a remote communications library that, once a site has been connected to UpdraftCentral, registers an unauthenticated RPC listener on every page load. This listener accepts POST requests containing a serialized udrpc_message and dispatches the decoded command on behalf of the connecting administrator.
Once the listener has decided to process the message, it calls the decrypt_message() function from the UpdraftPlus_Remote_Communications_V2 class, which extracts the base64-encoded encrypted symmetric key portion from the message, attempts to decrypt it with the site’s local RSA private key, and then uses the result directly as the AES key for decrypting the message body.
public function decrypt_message($message) {
if (!$this->key_local) throw new Exception('No decryption key has been set');
$rsa = new phpseclib_Crypt_RSA();
if (defined('UDRPC_PHPSECLIB_ENCRYPTION_MODE')) $rsa->setEncryptionMode(UDRPC_PHPSECLIB_ENCRYPTION_MODE);
// Defaults to CRYPT_AES_MODE_CBC
$rij = new phpseclib_Crypt_Rijndael();
// Extract the Symmetric Key
$len = substr($message, 0, 3);
$len = hexdec($len);
$sym_key = substr($message, 3, $len);
// Extract the encrypted message
$cipherlen = substr($message, ($len + 3), 16);
$cipherlen = hexdec($cipherlen);
$ciphertext = substr($message, ($len + 19), $cipherlen);
$ciphertext = base64_decode($ciphertext);
// Decrypt the encrypted symmetric key
$rsa->loadKey($this->key_local);
$sym_key = base64_decode($sym_key);
$sym_key = $rsa->decrypt($sym_key);
// Decrypt the message
$rij->setKey($sym_key);
return $rij->decrypt($ciphertext);
}
Unfortunately, the function does not check the return value of $rsa->decrypt(). When the supplied encrypted key is malformed, phpseclib’s RSA::decrypt() returns false rather than throwing an exception. Passing false to Rijndael::setKey() collapses to a deterministic cipher with an all-zero AES-128 key, an all-zero initialization vector, and PKCS7 padding. An attacker can reproduce this exact configuration locally, encrypt a message of their choosing, and have the server successfully decrypt it without ever needing access to the site’s keys.
This means that an unauthenticated attacker can craft a fully forged udrpc_message that the listener accepts and dispatches as if it had been signed and encrypted by the connected UpdraftCentral dashboard.
When the dispatcher hands the message off to the UpdraftCentral listener in UpdraftCentral_Listener::udrpc_action(), it calls wp_set_current_user() with the user ID of the administrator who originally connected the site to UpdraftCentral. From that point on, every WordPress capability check sees the request as coming from a fully authenticated administrator.
UpdraftPlus implements a number of powerful RPC commands, for example, plugin.upload_plugin, which writes an arbitrary plugin ZIP to disk via file_put_contents() and installs it through Plugin_Upgrader::install(), and plugin.activate_plugin, which activates the newly installed plugin. By uploading a plugin that contains a simple PHP webshell, an attacker can gain arbitrary PHP and operating system command execution.
The Patch
The vendor addressed this issue by adding a return-value check to the decrypt_message() function.
public function decrypt_message($message) {
if (!$this->key_local) throw new Exception('No decryption key has been set');
$rsa = new phpseclib_Crypt_RSA();
if (defined('UDRPC_PHPSECLIB_ENCRYPTION_MODE')) $rsa->setEncryptionMode(UDRPC_PHPSECLIB_ENCRYPTION_MODE);
// Defaults to CRYPT_AES_MODE_CBC
$rij = new phpseclib_Crypt_Rijndael();
// Extract the Symmetric Key
$len = substr($message, 0, 3);
$len = hexdec($len);
$sym_key = substr($message, 3, $len);
// Extract the encrypted message
$cipherlen = substr($message, ($len + 3), 16);
$cipherlen = hexdec($cipherlen);
$ciphertext = substr($message, ($len + 19), $cipherlen);
$ciphertext = base64_decode($ciphertext);
// Decrypt the encrypted symmetric key
$rsa->loadKey($this->key_local);
$sym_key = base64_decode($sym_key);
$sym_key = $rsa->decrypt($sym_key);
if (false === $sym_key || !is_string($sym_key) || strlen($sym_key) < 16) {
return false;
}
// Decrypt the message
$rij->setKey($sym_key);
return $rij->decrypt($ciphertext);
}
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
Disclosure Timeline
June 1, 2026 – We received the submission for the Unauthenticated Authentication Bypass vulnerability in UpdraftPlus via the Wordfence Bug Bounty Program.
June 3, 2026 – We validated the report and confirmed the proof-of-concept exploit. Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
June 3, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
June 4, 2026 – The vendor acknowledged the report and began working on a fix.
June 5, 2026 – The fully patched version of the plugin, 1.26.5, was released.
July 3, 2026 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed a critical Unauthenticated Authentication Bypass vulnerability within the UpdraftPlus plugin affecting all versions up to, and including, 1.26.4. This vulnerability allows unauthenticated threat actors to execute arbitrary code on the server when the site has previously been connected to an UpdraftCentral dashboard, by combining a bypassable signature check with a failed-decryption fallback that collapses to a deterministic all-zero AES key. The vulnerability has been fully addressed in version 1.26.5 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of UpdraftPlus as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 3, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on July 3, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin appeared first on Wordfence.