CVE-2026-4853
Path Traversal in JetBackup Plugin Allows Arbitrary Directory Deletion
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetbackup | jetbackup | to 3.1.19.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the JetBackup plugin to a version later than 3.1.19.8 where the issue is fixed.
Additionally, restrict administrator-level access to trusted users only, as exploitation requires authenticated admin access.
Avoid uploading files with potentially malicious filenames containing path traversal sequences like '../'.
Consider implementing additional input validation or security controls to prevent path traversal in file uploads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated administrators to delete critical WordPress directories, causing severe site disruption. This could lead to loss of data availability and integrity, which are important aspects of compliance with standards like GDPR and HIPAA.
However, the provided information does not explicitly describe the impact on compliance with specific regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The JetBackup plugin for WordPress, up to version 3.1.19.8, has a vulnerability due to insufficient input validation on the fileName parameter in its file upload handler. Although the plugin sanitizes the fileName parameter to remove HTML tags, it does not prevent path traversal sequences like '../'. This allows an authenticated administrator to manipulate the file path to traverse outside the intended upload directory.
When an invalid file is uploaded, the plugin's cleanup logic uses the manipulated path to recursively delete directories outside the intended scope, including critical WordPress directories such as wp-content/plugins. This can disable all installed plugins and cause severe disruption to the WordPress site.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary directory deletion on a WordPress site using the JetBackup plugin. An attacker with administrator-level access can delete critical directories like wp-content/plugins, effectively disabling all plugins and causing significant site disruption.
The impact includes loss of functionality, potential downtime, and the need for recovery efforts to restore the deleted files and directories.