Description
The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.
Published: 2026-04-17
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Directory Deletion
Action: Patch Now
AI Analysis

Impact

The JetBackup – Backup, Restore & Migrate plugin processes the fileName parameter used during file uploads without sufficient protection against path traversal. The sanitization routine removes only HTML tags, leaving traversal sequences such as '../' intact; the resulting filename is then concatenated into the upload path and, when an invalid file is uploaded, the cleanup logic recursively deletes the resolved directory, leading to the removal of critical WordPress directories such as wp-content/plugins.

Affected Systems

WordPress installations using the JetBackup plugin up to and including version 3.1.19.8 are affected. The vulnerability is present in all releases of the plugin packaged by BackupGuard that contain the vulnerable upload handler.

Risk and Exploitability

The CVSS score of 4.9 indicates medium severity, but the impact is severe because only an authenticated administrator can trigger the exploit. The lack of an EPSS score and absence from the KEV catalog suggest the vulnerability is not widely exploited yet; however, the path traversal flaw and the administrator requirement mean that if privileged users are compromised or misconfigured, the entire plugin directory and potentially other server directories can be deleted, causing site downtime and loss of functionality. Operators should treat this as a high‑risk issue within environments where administrator accounts are accessible via web or other interfaces.

Generated by OpenCVE AI on April 17, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBackup to version 3.1.19.9 or later, which removes the path traversal flaw
  • If an immediate upgrade is not possible, remove the file upload capability for the JetBackup plugin or restrict the fileName parameter to literal filenames only, ensuring the server does not accept traversal characters
  • Re‑evaluate the site's role‑based access controls to ensure that only trusted users hold administrator privileges, and consider implementing a web‑application firewall to block suspicious file upload patterns

Generated by OpenCVE AI on April 17, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Backupguard
Backupguard jetbackup – Backup, Restore & Migrate
Wordpress
Wordpress wordpress
Vendors & Products Backupguard
Backupguard jetbackup – Backup, Restore & Migrate
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.
Title JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Backupguard Jetbackup – Backup, Restore & Migrate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T12:23:01.736Z

Reserved: 2026-03-25T15:15:15.547Z

Link: CVE-2026-4853

cve-icon Vulnrichment

Updated: 2026-04-17T12:22:56.243Z

cve-icon NVD

Status : Received

Published: 2026-04-17T05:16:18.680

Modified: 2026-04-17T05:16:18.680

Link: CVE-2026-4853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:15Z

Weaknesses