The Keep Backup Daily WordPress plugin suffers from a path traversal flaw (CWE-22) that permits an attacker to construct a download request which resolves to any file on the server. By supplying a specially crafted file path, a victim can retrieve sensitive files such as configuration files, credentials, or log files, thereby leaking confidential data. The flaw does not provide a mechanism for code execution or denial‑of‑service but can lead to information disclosure.

Affected product is Fahad Mahmood’s Keep Backup Daily plugin for WordPress. All releases from the initial version up to and including 2.1.0 are vulnerable. Site operators running any of those versions should verify their current plugin version and apply an update as soon as a fixed release becomes available. The plugin may be installed on any publicly accessible WordPress site, creating a broad potential impact.

The CVSS base score of 4.9 classifies the vulnerability as medium, and the current EPSS score of <1% indicates a very low exploitation probability. It is not listed in CISA’s KEV catalog. Attackers would likely invoke the vulnerable download endpoint remotely, potentially needing authenticated access to the WordPress administrative interface if the feature is restricted, but the description does not confirm authentication requirements. Because the vector is remote and the flaw is a simple path traversal, it is considered potentially exploitable by anyone able to trigger the download functionality.