The Keep Backup Daily plugin for WordPress, maintained by fahadmahmood, suffers from a path traversal vulnerability identified as CVE-2026-3339. This vulnerability exists in all versions up to and including 2.1.1 and is triggered via the 'kbd_open_upload_dir' AJAX action. The root cause is insufficient validation of the 'kbd_path' parameter, which is only sanitized using WordPress's 'sanitize_text_field()' function. This function does not remove or neutralize path traversal sequences such as '../', allowing an attacker with administrator-level privileges to manipulate the path parameter to access directories outside the intended upload directory. Consequently, an attacker can list contents of arbitrary directories on the server, potentially exposing sensitive file names and directory structures. However, the vulnerability does not allow modification or deletion of files, nor does it enable remote code execution or denial of service. Exploitation requires authenticated access with administrator privileges, and no user interaction beyond that is needed. The CVSS 3.1 base score is 2.7, indicating low severity primarily due to the high privilege requirement and limited impact on confidentiality only. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

The primary impact of this vulnerability is the unauthorized disclosure of directory contents outside the intended upload directory, which can reveal sensitive information such as configuration files, backup files, or other data stored on the server. While this does not directly compromise system integrity or availability, the exposure of directory listings can aid attackers in reconnaissance and facilitate further attacks. Since exploitation requires administrator-level access, the risk is somewhat mitigated by the need for high privileges; however, if an attacker gains such access (e.g., via credential compromise or privilege escalation), they can leverage this vulnerability to gather additional information about the server environment. Organizations using the Keep Backup Daily plugin on WordPress sites may face increased risk of information leakage, which could be leveraged in targeted attacks or lateral movement within the network. The low CVSS score reflects the limited scope and impact, but the vulnerability still represents a security weakness that should be addressed to maintain defense-in-depth.

To mitigate this vulnerability, organizations should first update the Keep Backup Daily plugin to a version that addresses this issue once available. In the absence of an official patch, administrators can implement custom input validation to strictly restrict the 'kbd_path' parameter, disallowing any path traversal sequences such as '../' or absolute paths. This can be done by whitelisting allowed directories or normalizing and validating paths before processing. Additionally, limit administrator access strictly to trusted personnel and enforce strong authentication mechanisms to reduce the risk of privilege abuse. Regularly audit plugin usage and monitor logs for suspicious AJAX requests targeting 'kbd_open_upload_dir'. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts. Finally, consider isolating WordPress installations and backups on separate file systems or containers to minimize the impact of directory traversal vulnerabilities.