If your WordPress website relies on the popular UpdraftPlus plugin for backups, as over three million active sites do, recent security news demands your immediate attention. On June 2, 2026, security researchers discovered a critical unauthenticated authentication bypass vulnerability in UpdraftPlus.
The vulnerability, tracked by Wordfence, allows unauthenticated attackers to take complete control of vulnerable sites. The good news is that a patch has been released. Here’s everything you need to know to protect your business.
The vulnerability affects all versions of UpdraftPlus up to and including version 1.26.4. However, it is only exploitable on sites that have previously been connected to UpdraftCentral, the plugin’s remote site management dashboard. This means that not every site using UpdraftPlus is automatically vulnerable, but if you have ever used the UpdraftCentral feature, you are at risk.
On affected sites, an attacker can run arbitrary Remote Procedure Calls (RPC) as the connected administrator. This means they could:
To support remote management, UpdraftPlus registers an unauthenticated RPC listener on every page load of sites connected to UpdraftCentral. This listener accepts POST requests and dispatches commands on behalf of the connected administrator.
The critical flaw lies in a flawed error handling in the decryption process. When a malformed encrypted key is supplied, the decryption function does not properly check the return value. This collapses the encryption to a deterministic all-zero AES key, allowing an attacker to craft a forged message that the server accepts as legitimate.
From there, the attacker’s forged request is treated as coming from a fully authenticated administrator, giving them complete access to the site’s powerful RPC commands, such as plugin.upload_plugin and plugin.activate_plugin. By uploading a plugin containing a simple PHP webshell, the attacker gains arbitrary PHP and operating system command execution.
The UpdraftPlus team acted swiftly. After receiving disclosure details on June 3, they acknowledged the report on June 4, 2026, and released the fully patched version (1.26.5) on June 5, 2026. This patch adds a proper return-value check to the decryption function, ensuring that malformed keys are rejected outright.
The single most important action is to update UpdraftPlus to version 1.26.5 or later. Go to your WordPress dashboard → Plugins → Installed Plugins. If an update is available, click “Update Now” for UpdraftPlus.
If you are not actively using UpdraftCentral, consider disconnecting any previously connected sites. To check for an active connection, go to the UpdraftPlus settings page and navigate to the Advanced Tools tab. Under the “UpdraftCentral (Remote Control)” section, look for a connection key. If a key exists and you are not using the service, revoke it to eliminate the attack surface.
The UpdraftPlus vulnerability highlights a broader truth: proactive, layered security is your best defence. Consider implementing a Web Application Firewall (WAF) that can block exploit attempts before they reach your site. Wordfence Premium users received a firewall rule on June 3, 2026. Free users will receive it on July 3, 2026.
Staying on top of security patches and monitoring for vulnerabilities is a full-time job. At BG Cyber Connect, we specialise in proactive WordPress security. We can:
Don’t wait for an attacker to exploit an overlooked plugin. Contact us today to ensure your website is protected.
Contact BG Cyber Connect for a WordPress Security Assessment
The UpdraftPlus vulnerability is a powerful reminder that even the most popular, well-maintained plugins can harbour critical flaws. Timely updates and a proactive security strategy are not optional; they are the foundation of digital resilience.
Take action now. Update UpdraftPlus, review your UpdraftCentral connections, and consider a professional security audit. Your website and your business depend on it.
Social media management costs have surged, but not all tools deliver equal value. This hard‑hitting comparison pits Vista Social against Hootsuite, Buffer, Sprout Social, and Later across pricing, AI features, unified inbox, analytics, and user experience. Discover why Vista Social is the smart choice for SMBs and agencies in 2026.
Generic AI automation frustrates customers and erodes trust. Vista Social’s AI Knowledge changes everything by training artificial intelligence on your actual products, policies, and brand voice. Discover how brand-specific knowledge transforms social media management from a cost center into a 24/7 revenue driver, and why Caribbean businesses stand to benefit most.
International Women’s Day 2026 centers on the theme “Give To Gain” a reminder that generosity, mentorship, and shared knowledge create stronger teams and resilient organizations. At BG Cyber Connections, we believe investing in people drives real gains for small businesses. Discover practical steps to empower your team, strengthen your IT ecosystem, and build a culture of collaboration.
Book Now!
