Skip to main content

WordPress EUVDEUVD-2026-13897

| CVE-2026-3339 LOW
Path Traversal (CWE-22)
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 23:46 euvd
EUVD-2026-13897
Analysis Generated
Mar 20, 2026 - 23:46 vuln.today
CVE Published
Mar 20, 2026 - 23:25 nvd
LOW 2.7

DescriptionCVE.org

The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the kbd_open_upload_dir AJAX action. This is due to insufficient validation of the kbd_path parameter, which is only sanitized with sanitize_text_field() - a function that does not strip path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to list the contents of arbitrary directories on the server outside of the intended uploads directory.

AnalysisAI

The Keep Backup Daily WordPress plugin versions up to 2.1.1 contain a limited path traversal vulnerability in the kbd_open_upload_dir AJAX action that allows authenticated administrators to enumerate arbitrary directories on the server. An attacker with Administrator-level access can exploit insufficient sanitization of the kbd_path parameter (using only sanitize_text_field() which does not prevent path traversal sequences) to list directory contents outside the intended uploads directory. While the CVSS score of 2.7 is low and exploitation requires high-privilege Administrator access, the vulnerability represents a real information disclosure risk in multi-user WordPress environments or where administrator accounts are compromised.

Technical ContextAI

The vulnerability stems from a path traversal weakness (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the Keep Backup Daily plugin (CPE: cpe:2.3:a:fahadmahmood:keep_backup_daily), which is a WordPress backup utility. The vulnerable code exists in the AJAX handler kbd_open_upload_dir within inc/functions.php (referenced at lines 855 and 871 in version 2.1.1). The root cause is reliance on sanitize_text_field(), a WordPress function designed to remove HTML and script content but which explicitly does not strip path traversal sequences such as ../ or ..\. This allows an attacker to construct paths like ../../etc/ to traverse outside the intended backup upload directory and enumerate arbitrary filesystem locations. The plugin's backup functionality makes directory listing particularly sensitive, as it could expose configuration files, source code, or other sensitive data.

RemediationAI

Update Keep Backup Daily to a version newer than 2.1.1 immediately; consult the WordPress plugin repository at https://plugins.trac.wordpress.org/changeset for the patched version (referenced changeset 3481587 indicates a fix has been committed). The patch should implement proper path validation using functions like wp_normalize_path() combined with realpath() verification to ensure the resolved path remains within the intended uploads directory. For users unable to patch immediately, restrict Administrator role assignment to only trusted users, monitor AJAX requests to the kbd_open_upload_dir action for suspicious kbd_path parameters containing traversal sequences, and consider disabling the plugin if its backup functionality is not actively required. Implement file integrity monitoring on sensitive directories (/wp-config.php, configuration files) to detect unauthorized enumeration attempts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-13897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy