Limited Path Traversal in Keep Backup Daily Plugin for WordPress
CVE-2026-3339

2.7LOW

Key Information:

Vendor: WordPress
Status: Keep Backup Daily
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-3339?

The Keep Backup Daily plugin for WordPress contains a vulnerability that allows authenticated users with Administrator-level access to perform Limited Path Traversal. This occurs due to insufficient validation of the 'kbd_path' parameter in the kbd_open_upload_dir AJAX action. The sanitization method employed (sanitize_text_field()) fails to adequately filter out path traversal sequences, enabling attackers to access arbitrary directories on the server, potentially exposing sensitive information beyond the designated uploads directory.

Affected Version(s)

Keep Backup Daily 0 <= 2.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/keep-backup-da...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

san6051

CVE-2026-3339 Data

JSON