A critical flaw in the UpdraftPlus WordPress plugin has put more than 3 million sites at risk of takeover, and it is being actively exploited. Update to version 1.26.5 today.
An attacker does not need your password. The flaw lets them skip the login and act as admin. That is as bad as it gets.
A critical flaw in UpdraftPlus, one of the most common WordPress backup plugins, has put more than 3 million sites at risk. Tracked as CVE-2026-10795, the vulnerability lets an unauthenticated attacker bypass the login entirely and run commands as an administrator. From there they can upload and activate malicious plugins, which opens the door to full site takeover.
Every version up to and including 1.26.4 is affected. The fix is version 1.26.5, and site owners are urged to update immediately. Only sites with an active Migrator key or UpdraftCentral key are confirmed vulnerable, but Wordfence reported blocking nearly 5,000 attacks targeting the flaw in a single 24-hour window. This is being actively exploited right now.
Why it matters
Your website is your digital shopfront. If someone can walk in, take it over and install whatever they like, every lead, every sale and every bit of trust you have built runs through a compromised front door. A hijacked site can be defaced, used to serve malware to your customers or quietly stripped of data.
The boring truth is that most small business sites run a stack of plugins nobody checks. Backup tools like this one are installed and forgotten precisely because they sit in the background. That is exactly what makes them a target. Attackers go where the patching is slow.
The number of WordPress sites exposed by the UpdraftPlus flaw, which lets attackers act as admin without logging in. Source: Search Engine Journal
What to do about it
Update UpdraftPlus to 1.26.5 today. If you run WordPress, check this before you do anything else. It is a two-minute job.
Turn on auto-updates for plugins where you can. Manual patching always lags, and lag is what gets sites compromised.
Audit the plugins you actually use. Every inactive or abandoned plugin is a door you forgot to lock. Delete what you do not need.
Make sure you have a clean backup stored off the site. If the worst happens, a recent backup is the difference between an afternoon and a disaster.
Assign someone to own site security. If nobody is responsible for patching, nobody patches. That is how 3 million sites end up exposed.
The website you treat as set-and-forget is the one that gets taken. Five minutes of patching today is cheaper than rebuilding trust after a breach. Go and check your version now.