The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
UpdraftPlus is one of WordPress's most popular backup and migration plugins, trusted by millions of sites for critical data protection operations. CVE-2026-10795 exposes a critical flaw in the plugin's remote communications handler that allows unauthenticated attackers to bypass signature verification and forge authenticated requests. The vulnerability stems from insufficient validation of message formats in the UpdraftPlus_Remote_Communications_V2 class, where cryptographic signature checks can be circumvented and decryption failures default to a predictable all-zero encryption key. This means attackers can impersonate legitimate remote commands without valid credentials, potentially gaining unauthorized access to backup operations, site configuration, and sensitive data. Any WordPress installation running UpdraftPlus versions 1.26.4 or earlier is at risk, making this a widespread threat affecting backup infrastructure across the web.
While this CVE lacks direct MITRE ATT&CK mappings, Casky's 754 security skills—powered by Claude's extended reasoning—would detect the attack patterns underlying this vulnerability by identifying suspicious remote communications that bypass expected authentication workflows. Practitioners leveraging Casky would observe findings related to improper cryptographic implementation (CWE-347), including detection of forged backup requests, anomalous encryption key derivation patterns, and unsigned remote commands reaching the backup handler. The platform's skill matrix would flag unauthorized administrative operations initiated through the vulnerable communications channel, signature validation failures that should block requests but don't, and attempts to decrypt or modify backup metadata without proper credentials. This behavioral analysis helps practitioners spot exploitation attempts in logs and network traffic before backups are compromised or malicious commands are executed against their WordPress infrastructure.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-10795. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation