CVE-2026-4853

MEDIUM EPSS 49.0%
Published Apr 17, 20262mo ago · Modified Jun 17, 20261w ago
4.9 CVSS 3.1
Medium
Find Similar
Published Apr 17, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.

CVSS Details

Base Score
4.9
Exploitability
1.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
49.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

References 8

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L244
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L64
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Upload/Upload.php#L66
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L244
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L64
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Upload/Upload.php#L66
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3495633%40backup&new=3495633%40backup&sfp_email=&sfph_mail=
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa0fa80-05dd-4fe1-b7b5-7ed0cf13053c?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.