A vulnerability in the UpdraftPlus: WP Backup & Migration Plugin affects more than 3 million WordPress websites, permitting unauthenticated attackers to execute commands as administrators. This flaw allows attackers to upload and activate malicious plugins, leading to potential remote code execution.
The UpdraftPlus Backup & Migration Plugin is widely used for creating backups and migrating WordPress sites. It is currently installed on over 3 million websites. The vulnerability does not require an attacker to log in or possess a WordPress account to exploit it. However, only sites with an active Migrator key or UpdraftCentral key are confirmed to be vulnerable.
All versions up to and including 1.26.4 are affected by the exploit, which resides in the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This vulnerability is classified as an authentication bypass flaw, allowing unauthenticated attackers to circumvent the plugin’s identity verification and gain administrator-level access.
According to security firm Wordfence, the details indicate that insufficient validation of remote communications message formats led to this flaw. This failure allows attackers to forge arbitrary RPC commands, which the plugin would execute as legitimate administrator instructions.
The situation illustrates a critical coding flaw—the authentication controls that are supposed to verify the commands are authentic can be bypassed, effectively leaving a backdoor open to unauthorized actions. The compromised system may enable attackers to install backdoor plugins, which can facilitate data theft, malware addition, or total control of the website.
Wordfence reported a significant risk, noting it blocked 8,172 attempted exploits of this vulnerability in a single day. This figure highlights the active attempts by hackers to take advantage of the flaw, though it does not confirm successful compromises.
UpdraftPlus has released a patch for all affected users to secure their installations. Users are urged to update to version 1.26.5 immediately to mitigate this vulnerability.
