CVE-2026-4853 MEDIUM

CVE-2026-4853: JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter

Vendor Backupguard
Product JetBackup – Backup, Restore & Migrate
Weakness CWE-22 · Path traversal
Published April 17, 2026
Last update April 17, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like '../'. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption.

Explanation of Vulnerability in Simple Terms

02Summary

JetBackup versions up to 3.1.19.8 contain a path traversal vulnerability that allows high-privilege users to read files outside the intended backup directory. An attacker with administrative access can craft requests to access sensitive files on the server. The vulnerability requires high-level privileges and does not affect file integrity or availability.

What an attacker can do

03Attacker Capabilities

Read arbitrary files on the server outside the backup directory.

Potential impact on your site

04Site Impact

Administrators with malicious intent or compromised admin accounts can access sensitive server files.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative privileges on the site.

Key dates

06Disclosure timeline

April 17, 2026 CVE published
April 17, 2026 Record updated