
Image credit: Search Engine Journal
A critical vulnerability in the UpdraftPlus WordPress plugin has exposed more than 3 million websites globally to unauthenticated remote code execution, cybersecurity firm Wordfence reported Tuesday.
The flaw, an authentication bypass, allows attackers to execute commands as an administrator without needing to log in or possess a WordPress account, potentially leading to full website compromise, Wordfence said.
Wordfence, a company specializing in WordPress security, stated that it blocked 8,172 attacks targeting this specific vulnerability within a single 24-hour period.
The vulnerability impacts WordPress sites utilizing the UpdraftPlus: WP Backup & Migration Plugin in versions up to and including 1.26.4, specifically those with an active Migrator key or UpdraftCentral key.
UpdraftPlus, a widely used plugin for backups and migrations, has released a patch to address the security flaw.
Users of the affected plugin versions are advised to update immediately to version 1.26.5 or newer to secure their websites against potential exploitation, according to security experts.
The authentication bypass nature of the vulnerability means that even sites with strong password policies could be at risk if they have not applied the necessary update, analysts said.
Cybersecurity analysts emphasized the urgency of patching, given the widespread use of the UpdraftPlus plugin across millions of WordPress installations.
The flaw highlights the ongoing challenges in maintaining web security, particularly with third-party plugins that extend the functionality of popular content management systems.
Source: Search Engine Journal
Written by
Saeed Ashif Ahmed
I’m Saeed, the CTO of Rabbit Rank, with over a decade of experience in Blogging and SEO since 2010. Partner with us to ensure your project is handled with quality and expertise.
Keep reading
Related Articles

Safari Introduces AI Debugging Server for Web Development
Safari launched a new Model Context Protocol (MCP) server, enabling AI agents to debug websites for SEO, Core...

Google integrates AI performance reports into Search Console
Google integrates AI search visibility into Search Console, signaling that AI optimization is part of SEO, not...

Fake DMCA Complaints Exploit Google Search for Content Removal
Fake DMCA complaints are unfairly removing legitimate content from Google search results, impacting publishers...