Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbd_open_upload_dir AJAX action. This is due to insufficient validation of the kbd_path parameter, which is only sanitized with sanitize_text_field() - a function that does not strip path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to list the contents of arbitrary directories on the server outside of the intended uploads directory.
AnalysisAI
The Keep Backup Daily WordPress plugin versions up to 2.1.1 contain a limited path traversal vulnerability in the kbd_open_upload_dir AJAX action that allows authenticated administrators to enumerate arbitrary directories on the server. An attacker with Administrator-level access can exploit insufficient sanitization of the kbd_path parameter (using only sanitize_text_field() which does not prevent path traversal sequences) to list directory contents outside the intended uploads directory. While the CVSS score of 2.7 is low and exploitation requires high-privilege Administrator access, the vulnerability represents a real information disclosure risk in multi-user WordPress environments or where administrator accounts are compromised.
Technical ContextAI
The vulnerability stems from a path traversal weakness (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the Keep Backup Daily plugin (CPE: cpe:2.3:a:fahadmahmood:keep_backup_daily), which is a WordPress backup utility. The vulnerable code exists in the AJAX handler kbd_open_upload_dir within inc/functions.php (referenced at lines 855 and 871 in version 2.1.1). The root cause is reliance on sanitize_text_field(), a WordPress function designed to remove HTML and script content but which explicitly does not strip path traversal sequences such as ../ or ..\. This allows an attacker to construct paths like ../../etc/ to traverse outside the intended backup upload directory and enumerate arbitrary filesystem locations. The plugin's backup functionality makes directory listing particularly sensitive, as it could expose configuration files, source code, or other sensitive data.
RemediationAI
Update Keep Backup Daily to a version newer than 2.1.1 immediately; consult the WordPress plugin repository at https://plugins.trac.wordpress.org/changeset for the patched version (referenced changeset 3481587 indicates a fix has been committed). The patch should implement proper path validation using functions like wp_normalize_path() combined with realpath() verification to ensure the resolved path remains within the intended uploads directory. For users unable to patch immediately, restrict Administrator role assignment to only trusted users, monitor AJAX requests to the kbd_open_upload_dir action for suspicious kbd_path parameters containing traversal sequences, and consider disabling the plugin if its backup functionality is not actively required. Implement file integrity monitoring on sensitive directories (/wp-config.php, configuration files) to detect unauthorized enumeration attempts.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13897
GHSA-fxxv-5hv8-hp3c