Medium severity4.9NVD Advisory· Published Apr 17, 2026· Updated Apr 22, 2026
CVE-2026-4853
CVE-2026-4853
Description
The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.
Affected products
2- Range: <=3.1.19.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.phpnvd
- plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Ajax/Calls/AddToQueue.phpnvd
- plugins.trac.wordpress.org/browser/backup/tags/3.1.17.5/src/JetBackup/Upload/Upload.phpnvd
- plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.phpnvd
- plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Ajax/Calls/AddToQueue.phpnvd
- plugins.trac.wordpress.org/browser/backup/trunk/src/JetBackup/Upload/Upload.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/4aa0fa80-05dd-4fe1-b7b5-7ed0cf13053cnvd
News mentions
50- Building Resilient AI Environments Across Cloud, Data and M365GovInfoSecurity · May 20, 2026
- Why Hospitals Must Rethink Cyber ResilienceGovInfoSecurity · May 20, 2026
- Securing Autonomous AI: New Security Strategies for AI Agents and Machine-Speed RiskGovInfoSecurity · May 20, 2026
- AI Resilience: Preparing Infrastructure and Operations Teams for Autonomous AIGovInfoSecurity · May 20, 2026
- The AI Trust Gap: Governing Autonomous AI Without Losing Visibility or ControlGovInfoSecurity · May 20, 2026
- GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal ReposThe Hacker News · May 20, 2026
- America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenamesThe Register Security · May 19, 2026
- Cyber Resilience is the New Business Continuity PlanSecurityWeek · May 19, 2026
- From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threatCisco Talos Intelligence · May 19, 2026
- How Storm-2949 turned a compromised identity into a cloud-wide breachMicrosoft Security Blog · May 18, 2026
- Live Webinar | Is $125K/Hour Risk Worth Running Unsupported Systems?GovInfoSecurity · May 18, 2026
- Microsoft confirms Windows 11 security update install issuesBleepingComputer · May 18, 2026
- Microsoft rejects critical Azure vulnerability report, no CVE issuedBleepingComputer · May 16, 2026
- Chrome 148 Update Patches Critical VulnerabilitiesSecurityWeek · May 15, 2026
- Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assetsTenable Blog · May 14, 2026
- White House cyber official: identity security matters more than ever in the age of AICyberScoop · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- HYCU aiR detects insider risk and AI activity from backupsHelp Net Security · May 14, 2026
- Webinar tomorrow: Why security alone won't stop modern attacksBleepingComputer · May 13, 2026
- Thus Spoke…The GentlemenCheck Point Research · May 13, 2026
- Browser Run: now running on Cloudflare Containers, it’s faster and more scalableCloudflare Blog · May 13, 2026
- Foxconn confirms cyberattack claimed by Nitrogen ransomware gangBleepingComputer · May 13, 2026
- Veeam Intelligent ResOps unifies data context and recoveryHelp Net Security · May 12, 2026
- State of ransomware in 2026Securelist · May 12, 2026
- Flash Alert: EtherRat and TukTuk C2 End in The Gentleman RansomwareTheDFIRReport · May 11, 2026
- Webinar this week: Prevention alone is not enough against modern attacksBleepingComputer · May 11, 2026
- LLMs and Text-in-Text SteganographySchneier on Security · May 11, 2026
- Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin AmericaTrend Micro Research · May 11, 2026
- Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As CodeRapid7 Blog · May 8, 2026
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- Object First Fleet Manager simplifies distributed backup storageHelp Net Security · May 8, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- Day Zero Readiness: The Operational Gaps That Break Incident ResponseThe Hacker News · May 7, 2026
- Why ransomware attacks succeed even when backups existBleepingComputer · May 6, 2026
- From Stuxnet to ChatGPT: 20 News Events That Shaped CyberDark Reading · May 6, 2026
- Meta adds proof-based security to encrypted backupsHelp Net Security · May 5, 2026
- Cybersecurity M&A Roundup: 33 Deals Announced in April 2026SecurityWeek · May 4, 2026
- Webinar: Why MSPs must rethink security and backup strategiesBleepingComputer · May 4, 2026
- Microsoft confirms April Windows updates cause backup failuresBleepingComputer · May 4, 2026
- OpenAI Rolls Out Advanced Security for ChatGPT AccountsSecurityWeek · May 4, 2026
- ChatGPT advanced account security adds passkeys and hardware keysHelp Net Security · May 3, 2026
- 3 easy-to-miss cybersecurity risks for small businessesMalwarebytes Labs · May 3, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- Code Orange: Fail Small is complete. The result is a stronger Cloudflare networkCloudflare Blog · May 1, 2026
- Microsoft fixes Remote Desktop warnings displaying incorrectlyBleepingComputer · May 1, 2026
- New infosec products of the month: April 2026Help Net Security · May 1, 2026
- April KB5083769 Windows 11 update causes backup software failuresBleepingComputer · Apr 30, 2026
- Nearly half of UK businesses pwned last year as phishing keeps doing the job like it's 2005The Register Security · Apr 30, 2026