Path Traversal Vulnerability in JetBackup Plugin for WordPress
CVE-2026-4853

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Jetbackup – Backup, Restore & Migrate
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-4853?

The JetBackup plugin for WordPress is susceptible to a Path Traversal vulnerability due to inadequate validation of the fileName parameter in its file upload handler. This security flaw allows authenticated users with administrator access to manipulate file paths, enabling them to delete critical directories outside the intended upload directory. Essentially, attackers can exploit this vulnerability to trigger recursive deletion actions, which can incapacitate essential WordPress components, severely disrupting the website's functionality.

Affected Version(s)

JetBackup – Backup, Restore & Migrate 0 <= 3.1.19.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/backup/trunk/s...

https://plugins.trac.wordpress.org/browser/backup/tags/3....

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

Lukasz Sobanski

CVE-2026-4853 Data

JSON