Security · June 11, 2026 · 2 min read

UpdraftPlus fixed a critical site takeover bug

If you use UpdraftPlus and connected it to UpdraftCentral, update now to close a critical admin takeover risk.

Reading

WPWithin

If you run UpdraftPlus and you ever connected it to UpdraftCentral, update now. This bug could let an attacker take over the site without logging in.

Update UpdraftPlus now if you used UpdraftCentral

The UpdraftPlus team fixed a critical authentication bypass bug, a flaw that could give an attacker admin-level access without a valid login. Wordfence says an attacker could send remote procedure calls, which are remote commands, as the connected administrator. That could let them upload and activate a malicious plugin and then run code on the site.

This issue does not hit every UpdraftPlus site in the same way. Wordfence says the bug only worked on sites that had previously connected UpdraftPlus to UpdraftCentral, the plugin’s remote management dashboard. If your site never used that connection, this specific exploit path does not apply. If you do use UpdraftPlus and you are not sure, treat your site as affected until you confirm the update.

Update UpdraftPlus now, and if you ever used UpdraftCentral, review your admin users and installed plugins right after the update for anything you do not recognize.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Critical FunnelKit flaw lets attackers steal WooCommerce payment data

Security · 3 min