CVE-2026-3339 in Keep Backup Daily Plugin
Summary
by MITRE • 03/21/2026
The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the `kbd_open_upload_dir` AJAX action. This is due to insufficient validation of the `kbd_path` parameter, which is only sanitized with `sanitize_text_field()` - a function that does not strip path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to list the contents of arbitrary directories on the server outside of the intended uploads directory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The CVE-2026-3339 vulnerability represents a critical path traversal flaw within the Keep Backup Daily WordPress plugin, affecting all versions through 2.1.1. This security weakness stems from inadequate input validation mechanisms that fail to properly sanitize user-supplied path parameters. The vulnerability specifically manifests through the `kbd_open_upload_dir` AJAX action, which processes the `kbd_path` parameter without sufficient security controls. The plugin's reliance on `sanitize_text_field()` function for parameter validation proves insufficient since this sanitization method does not effectively remove or neutralize path traversal sequences such as ../ or ..\. Attackers with administrator-level privileges or higher can exploit this weakness to enumerate directory contents beyond the intended upload directory boundaries, potentially accessing sensitive server files and data.
The technical implementation of this vulnerability demonstrates a classic insufficient input validation issue that aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling. The flaw operates through the AJAX interface where the `kbd_path` parameter is directly incorporated into file system operations without proper path normalization or restriction. This allows authenticated attackers to manipulate the path parameter to traverse directories outside the designated upload area, effectively bypassing the intended security boundaries of the plugin's file handling mechanism. The vulnerability's impact is amplified by the requirement for administrator-level access, which represents a privileged attack vector that can be leveraged for further exploitation within the compromised WordPress environment.
The operational implications of this vulnerability extend beyond simple directory enumeration, creating potential pathways for attackers to discover sensitive files, configuration data, or other system resources that should remain protected. An attacker could potentially access plugin configuration files, database connection details, or other administrative resources that might reveal additional attack vectors or system information. The vulnerability's exploitation requires minimal privileges but provides significant reconnaissance capabilities, making it particularly dangerous as an initial access or reconnaissance tool. This type of vulnerability falls under the ATT&CK technique T1083 File and Directory Discovery, where adversaries attempt to gather information about the file system structure and locate sensitive data.
Organizations should immediately implement mitigation strategies including updating to the patched version of the Keep Backup Daily plugin, which should contain proper input validation and sanitization routines. The recommended approach involves implementing comprehensive path validation that strips or neutralizes path traversal sequences before any file system operations occur. Additionally, administrators should consider implementing network-level restrictions to limit access to AJAX endpoints and ensure that only authorized users can perform privileged operations. The vulnerability also underscores the importance of proper security testing and code review practices, particularly for plugins that handle file system operations. Organizations should conduct thorough security assessments of their WordPress installations to identify similar vulnerabilities in other plugins or themes, implementing principle of least privilege access controls to minimize the impact of such flaws.