UpdraftPlus WordPress Vulnerability Puts 3 Million Sites At Risk via @Sejournal, @Martinibuster

UpdraftPlus is one of the most widely deployed WordPress backup solutions, trusted by millions to safeguard site data and streamline migrations. Its popularity, however, turns into a liability when a single code flaw can compromise the entire ecosystem. The recent authentication‑bypass vulnerability highlights how even well‑maintained plugins can become attack vectors if remote communication checks are weak, especially when they handle privileged operations like plugin installation.

The technical root lies in the UpdraftPlus_Remote_Communications_V2::wp_loaded function, where insufficient validation of encrypted messages allows a predictable all‑zero key to bypass signature verification. This enables unauthenticated actors to forge RPC commands that the plugin treats as administrator instructions, such as uploading a malicious plugin that executes arbitrary code on the host server. Wordfence’s detection of over 8,000 attempts in a 24‑hour window demonstrates that threat actors are actively scanning for vulnerable installations, raising the probability of successful compromises across the massive user base.

For site owners and managed WordPress providers, the incident underscores the urgency of rapid patch deployment and continuous monitoring. Updating to version 1.26.5 or later eliminates the bypass, but organizations should also audit sites for active Migrator or UpdraftCentral keys, enforce least‑privilege principles, and employ Web Application Firewalls to block suspicious RPC traffic. The broader lesson is clear: reliance on third‑party plugins demands rigorous security vetting and a proactive response strategy to protect digital assets in an increasingly hostile web landscape.