Attack Vectors

Keep Backup Daily (WordPress plugin slug: keep-backup-daily) is affected by CVE-2026-3339, a Low severity issue (CVSS 2.7; vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

The vulnerability is reachable through the plugin’s kbd_open_upload_dir AJAX action. An attacker must already be authenticated with Administrator-level access (or higher). In organizations where multiple admins exist (agencies, IT vendors, or shared marketing operations), this increases the practical risk because it only takes one compromised admin account to use the flaw.

Security Weakness

The weakness is a limited path traversal issue caused by insufficient validation of the kbd_path parameter. The plugin sanitizes this input with sanitize_text_field(), which is not designed to remove path traversal sequences (for example, patterns that attempt to move outside the intended directory).

As a result, an authenticated Admin can potentially request paths outside of the expected uploads directory and list the contents of arbitrary server directories (directory listing exposure), rather than being restricted to the intended backup/upload locations.

Technical or Business Impacts

While this issue is rated Low, it can still create meaningful business exposure because it enables information disclosure. Directory listings can reveal sensitive operational details such as server structure, configuration-related file names, backup naming conventions, and other clues that make future attacks easier.

From a business-risk perspective, this can contribute to:

• Faster attacker discovery and escalation: Knowing where assets and backups live can shorten the time needed for an attacker to plan follow-on actions.
• Compliance and audit concerns: Unnecessary exposure of server directory information may complicate internal security reviews and incident response documentation.
• Increased impact of an admin account compromise: If an Admin account is phished or reused across systems, this vulnerability gives an attacker additional visibility that they would not otherwise have.

Remediation: Update Keep Backup Daily to version 2.1.3 or newer (patched). Reference: Wordfence vulnerability record. CVE record: https://www.cve.org/CVERecord?id=CVE-2026-3339.

Similar Attacks

Path traversal has been a recurring issue across many technologies. A few well-documented examples include:

• Apache HTTP Server path traversal (CVE-2021-41773): https://www.cve.org/CVERecord?id=CVE-2021-41773
• Citrix ADC / NetScaler path traversal (CVE-2019-19781): https://www.cve.org/CVERecord?id=CVE-2019-19781
• Fortinet FortiOS path traversal (CVE-2018-13379): https://www.cve.org/CVERecord?id=CVE-2018-13379

The common business lesson is consistent: even “limited” traversal issues can expose enough information to support larger attacks—so timely patching and strong admin account controls (MFA, least privilege, and vendor access governance) remain essential.