🔐 CVE Alert

CVE-2026-4853

MEDIUM 4.9

JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter

CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
0th

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.

CWE CWE-22
Vendor backupguard
Product jetbackup – backup, restore & migrate
Published Apr 17, 2026
Stay Ahead of the Next One

Get instant alerts for backupguard jetbackup – backup, restore & migrate

Be the first to know when new medium vulnerabilities affecting backupguard jetbackup – backup, restore & migrate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

backupguard / JetBackup – Backup, Restore & Migrate
0 ≤ 3.1.19.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa0fa80-05dd-4fe1-b7b5-7ed0cf13053c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Upload/Upload.php#L66 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Upload/Upload.php#L66 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L64 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L64 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L244 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L244 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3495633%40backup&new=3495633%40backup&sfp_email=&sfph_mail=

Credits

Lukasz Sobanski