Is CVE-2026-10795 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-10795 is not currently listed in the CISA KEV catalog.

Which frameworks does CVE-2026-10795 affect?

CVE-2026-10795 affects WordPress.

Vulnerability intelligence

CVE-2026-10795

CVE-2026-10795 in UpdraftPlus — the most popular WordPress backup plugin — allows unauthenticated attackers to upload and activate malicious plugins via a cryptographic collapse to an all-zero key. Wordfence blocked 4,987 exploitation attempts in 24 hours. The tool installed to protect WordPress sites became the door attackers walked through.

WordPress 2026

What WebPulse reported · 3 analyses

UpdraftPlus Auth Bypass: The WordPress Backup Plugin on 3 Million Sites Just Became the Attack Vector. Zero Authentication. An All-Zero Encryption Key. Actively Exploited.

CVE-2026-10795 in UpdraftPlus — the most popular WordPress backup plugin — allows unauthenticated attackers to upload and activate malicious plugins via a crypt

June 16, 2026

CISA's New Directive: 3 Days to Patch the Worst Vulnerabilities. Not 30. Not 14. Three.

Binding Operational Directive 26-04 replaces the old 30-day patch window with risk-based timelines. Publicly exposed, auto-exploitable vulnerabilities in the KE

June 16, 2026

WordPress Just Admitted Its Plugin Ecosystem Needs AI to Police It. They Call It 'Protect The Shire.'

A 24-hour cooldown on all plugin releases. AI-assisted code review scanning 78,000 plugins. WordPress.org is building the security infrastructure it should have

June 14, 2026

View CVE-2026-10795 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-8206 CVE-2026-8181 CVE-2026-3844 CVE-2026-4020 CVE-2026-1293 CVE-2026-8732 CVE-2026-4798 CVE-2026-3300