June 11, 2026 update: UpdraftPlus CVE-2026-10795 is a critical WordPress backup-plugin vulnerability disclosed by Wordfence on June 10. Wordfence says the issue affects UpdraftPlus 1.26.4 and older, and WordPress.org currently lists UpdraftPlus 1.26.5 as the patched release with an upgrade notice calling it an important security fix.
Plain-English impact: UpdraftPlus is a backup and migration plugin with more than 3 million active installs. A weakness in a backup plugin deserves fast attention because backup tools often have access to database exports, site files, storage destinations, migration features, and remote-management connections.
Wordfence describes the vulnerable path as critical and says it matters especially for sites that have previously connected UpdraftPlus to an UpdraftCentral dashboard. Fix I.T. Phill did not find active exploitation or a CISA KEV entry for this CVE during this pass, but the install base and backup-plugin impact make this a patch-now item.
Who should check first
- WordPress sites running UpdraftPlus 1.26.4 or older.
- Sites that use UpdraftCentral, hosted or self-hosted, to manage backups or remote site tasks.
- Agencies, hosts, and MSPs that manage backups across many customer WordPress sites.
- WooCommerce, membership, LMS, booking, and lead-generation sites where backup archives may contain sensitive business records.
- Sites that recently showed unknown administrator users, changed backup destinations, missing restore points, strange outbound email, or unexpected files.
Safe update checklist
- Take a host-level backup first. Before updating a backup plugin, make sure you have a backup outside the plugin itself, such as a cPanel backup, Plesk backup, server snapshot, managed-host backup, or provider restore point.
- Check the installed version. If UpdraftPlus is 1.26.4 or older, treat the site as needing urgent maintenance.
- Update from a trusted source. Use the WordPress dashboard, WordPress.org, Plesk WordPress Toolkit, cPanel WordPress Toolkit, WP-CLI through your host, ManageWP, MainWP, or your managed hosting update workflow.
- Confirm version 1.26.5 or newer. Do not stop at “update available” or “update downloaded.” Verify the active plugin version after the update completes.
- Test the backup screen. Confirm scheduled backups, manual backups, storage destinations, retention settings, and restore-point visibility still look right.
- Run a small test backup when safe. For production stores or membership sites, choose a maintenance window or staging clone if backup jobs are heavy.
- Verify remote management. If the site uses UpdraftCentral, confirm that only expected dashboards and administrators are connected.
If you cannot update right away
Do not leave an old backup plugin exposed while troubleshooting. Take a host-level backup, temporarily disconnect remote backup management where practical, restrict administrator access, and schedule a short maintenance window to update UpdraftPlus and test backup jobs.
If the update fails because of an old PHP version, theme conflict, or broken plugin stack, clone the site to staging and fix the compatibility problem there. For a business site, a temporary host-managed backup is better than keeping an outdated backup plugin live while hoping nothing happens.
Post-update review
- Review WordPress administrator accounts, application passwords, and backup-related users.
- Check UpdraftPlus settings, storage destinations, connected dashboards, and notification recipients for unexplained changes.
- Inspect recent plugin, theme, uploads, and mu-plugin files for unexpected executable files.
- Verify that recent backups exist where expected and that retention rules did not change.
- Rotate cloud-storage, FTP/SFTP, S3-compatible storage, Google Drive, Dropbox, email, and remote-dashboard credentials if exposure is suspected.
- Ask your host to review account logs and malware-scan results if you find unknown admins, strange files, missing backup archives, or remote-management changes you cannot explain.
Hosting-panel notes
- Plesk WordPress Toolkit: refresh plugin inventory, update UpdraftPlus, confirm the active version, and review backup jobs at both WordPress and Plesk levels.
- cPanel WordPress Toolkit: update the plugin, confirm the WordPress install is healthy, and keep cPanel account backups separate from plugin backups.
- Managed WordPress dashboards: check whether UpdraftPlus updates are held for compatibility, then push the fixed version after a backup and smoke test.
- Agencies and MSPs: prioritize sites with UpdraftCentral, ecommerce, membership, client portals, or stored customer submissions.
Replacement guidance
UpdraftPlus is actively maintained and has a patched release on WordPress.org, so most sites should update rather than replace it. Replacement planning makes sense when a site cannot run the fixed version, the backup destination is no longer trusted, the license or remote-management setup is unknown, or the business needs a cleaner host-level backup process.
Before switching backup plugins, document backup schedules, storage destinations, retention rules, encryption settings, restore steps, and who receives alerts. A backup-plugin migration is only successful when a restore test works afterward.
Related Fix I.T. Phill reading
- How to back up WordPress by UpdraftPlus
- How to restore WordPress by UpdraftPlus
- How to check WordPress backups and restore points
- Optimizing backup strategies on WHM/cPanel VPS with WordPress
Sources
- Wordfence advisory for UpdraftPlus CVE-2026-10795
- UpdraftPlus on WordPress.org
- UpdraftPlus WordPress.org changelog and developer information
Need help checking a WordPress backup plugin after a security update? Fix I.T. Phill can help confirm the plugin version, preserve a host-level backup, verify restore points, review backup destinations, and inspect the site for suspicious users or files.