It is not possible to perform a wordpress upgrade with security.vcl enabled, at least the following modules are triggered while upgrading wordpress plugins:

• localfiles
• restrictedfileextensions
• xss
• sql

A sample request URL looks like this:
/wp-admin/update.php?action=install-plugin&plugin=backwpup&_wpnonce=c1e4532913

As this is a customer site being affected I can sadly not provide a live example.