CVE-2026-3577 in Keep Backup Daily Plugin
Summary
by MITRE • 03/21/2026
The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The CVE-2026-3577 vulnerability resides within the Keep Backup Daily plugin for WordPress, representing a critical stored cross-site scripting flaw that compromises the security of WordPress installations. This vulnerability specifically targets the `update_kbd_bkup_alias` AJAX action, affecting all plugin versions up to and including 2.1.2. The flaw emerges from inadequate input validation and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by authenticated attackers with administrator privileges or higher.
The technical implementation of this vulnerability stems from a fundamental mismanagement of user input sanitization and output encoding practices. While the plugin employs `sanitize_text_field()` to process the backup title alias parameter, this function fails to properly encode double quotes, leaving a critical gap in the sanitization process. The `sanitize_text_field()` function, although effective in removing HTML tags, does not address all potential XSS vectors, particularly those involving attribute contexts where double quotes can be used to break out of HTML attributes. This oversight creates an exploitable condition where malicious scripts can be injected into the backup title field and subsequently stored within the WordPress database.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with persistent access to administrative functions through the backup management interface. When administrators navigate to the backup list page, the stored malicious scripts execute in their browser context, potentially enabling attackers to perform actions such as credential theft, data manipulation, or further privilege escalation within the WordPress environment. The vulnerability specifically targets HTML attribute contexts where the backup titles are rendered without proper escaping using `esc_attr()`, creating a direct injection vector that bypasses standard WordPress security measures designed to prevent XSS attacks.
This vulnerability aligns with CWE-79, which defines Cross-Site Scripting as a common weakness in web applications where untrusted data is not properly escaped before being rendered in web pages. The flaw also maps to ATT&CK technique T1059.001, which describes the use of command and scripting interpreter for executing malicious code, as the stored XSS can be leveraged to execute arbitrary JavaScript within the administrator's browser session. Additionally, the vulnerability demonstrates characteristics of privilege escalation through persistent injection, as attackers require only administrator-level access to exploit the vulnerability, but the impact extends to potentially compromising the entire WordPress installation.
Mitigation strategies for CVE-2026-3577 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Administrators should implement proper input validation using functions that properly escape all potentially dangerous characters, including double quotes, and ensure that all output is properly escaped using appropriate WordPress escaping functions such as `esc_attr()` when rendering data within HTML attributes. Security monitoring should include regular checks for unauthorized modifications to backup titles and other administrative settings, while network-based intrusion detection systems should be configured to identify potential XSS payloads in AJAX requests. Organizations should also consider implementing additional security measures such as role-based access controls, regular security audits of WordPress plugins, and comprehensive backup strategies that can quickly restore systems in case of successful exploitation.