What the vulnerability does
01Description
The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page.
Explanation of Vulnerability in Simple Terms
02Summary
Keep Backup Daily versions 2.1.2 and earlier contain a cross-site scripting (XSS) vulnerability. An authenticated administrator with high privileges can inject malicious scripts that affect other users or components of the site. The vulnerability requires specific conditions to exploit and has limited impact on confidentiality and integrity.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in other users' browsers or affect site functionality.
Potential impact on your site
04Site Impact
An admin account compromise could allow script injection affecting other users or site behavior.
Conditions required to exploit
05Prerequisites
Attacker must be an authenticated administrator with high privileges; no user interaction required.
Key dates
06Disclosure timeline
March 20, 2026
CVE published
April 8, 2026
Record updated
