{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4853", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T15:15:15.547Z", "datePublished": "2026-04-17T03:36:43.041Z", "dateUpdated": "2026-04-17T03:36:43.041Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T03:36:43.041Z"}, "affected": [{"vendor": "backupguard", "product": "JetBackup \u2013 Backup, Restore & Migrate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.19.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JetBackup \u2013 Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption."}], "title": "JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa0fa80-05dd-4fe1-b7b5-7ed0cf13053c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Upload/Upload.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Upload/Upload.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L244"}, {"url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L244"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3495633%40backup&new=3495633%40backup&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-03-27T16:37:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T15:21:18.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JetBackup \u2013 Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption."}], "id": "CVE-2026-4853", "lastModified": "2026-04-17T05:16:18.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T05:16:18.680", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L244"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Upload/Upload.php#L66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L244"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Upload/Upload.php#L66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3495633%40backup&new=3495633%40backup&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa0fa80-05dd-4fe1-b7b5-7ed0cf13053c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T05:52:49.318889+00:00", "value": {"mitigation_remediation": ["Upgrade JetBackup to version 3.1.19.9 or later, which removes the path traversal flaw", "If an immediate upgrade is not possible, remove the file upload capability for the JetBackup plugin or restrict the fileName parameter to literal filenames only, ensuring the server does not accept traversal characters", "Re\u2011evaluate the site's role\u2011based access controls to ensure that only trusted users hold administrator privileges, and consider implementing a web\u2011application firewall to block suspicious file upload patterns"], "summary": {"action": "Patch Now", "impact": "Arbitrary Directory Deletion"}, "threat_synthesis": {"affected_systems": "WordPress installations using the JetBackup plugin up to and including version 3.1.19.8 are affected. The vulnerability is present in all releases of the plugin packaged by BackupGuard that contain the vulnerable upload handler.", "description_and_impact": "The JetBackup \u2013 Backup, Restore & Migrate plugin processes the fileName parameter used during file uploads without sufficient protection against path traversal. The sanitization routine removes only HTML tags, leaving traversal sequences such as '../' intact; the resulting filename is then concatenated into the upload path and, when an invalid file is uploaded, the cleanup logic recursively deletes the resolved directory, leading to the removal of critical WordPress directories such as wp-content/plugins.", "risk_and_exploitability": "The CVSS score of 4.9 indicates medium severity, but the impact is severe because only an authenticated administrator can trigger the exploit. The lack of an EPSS score and absence from the KEV catalog suggest the vulnerability is not widely exploited yet; however, the path traversal flaw and the administrator requirement mean that if privileged users are compromised or misconfigured, the entire plugin directory and potentially other server directories can be deleted, causing site downtime and loss of functionality. Operators should treat this as a high\u2011risk issue within environments where administrator accounts are accessible via web or other interfaces."}}}}, "created": "2026-04-17T06:00:09.272696+00:00", "updated": "2026-04-17T06:00:09.272708+00:00", "vendors": []}