The Keep Backup Daily plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-3577. This vulnerability exists in all versions up to and including 2.1.2 and is due to improper neutralization of input during web page generation (CWE-79). Specifically, the backup title alias parameter (`val`) in the AJAX action `update_kbd_bkup_alias` is insufficiently sanitized and escaped. While the plugin uses `sanitize_text_field()` to strip HTML tags on save, this function does not encode double quotes, which are critical in preventing attribute injection. The backup titles are then output in HTML attribute contexts without the use of `esc_attr()`, allowing an attacker with administrator privileges to inject arbitrary JavaScript code. When other administrators view the backup list page, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. Exploitation requires authenticated access with administrator-level privileges, no user interaction is needed beyond viewing the page, and the vulnerability affects confidentiality and integrity but not availability. The CVSS 3.1 score is 4.4, reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported, but the vulnerability poses a risk in environments where multiple administrators manage backups.

The primary impact of CVE-2026-3577 is on the confidentiality and integrity of administrative sessions within WordPress sites using the Keep Backup Daily plugin. An attacker with administrator access can inject persistent malicious scripts that execute in the context of other administrators, potentially stealing session cookies, performing unauthorized actions, or installing backdoors. This can lead to full site compromise, data theft, or disruption of backup integrity. Since the vulnerability requires administrator privileges, it does not allow initial unauthorized access but can be leveraged for lateral movement or privilege escalation within the WordPress environment. Organizations relying on this plugin for backup management face risks of persistent cross-site scripting attacks that undermine administrative trust and site security. The impact is limited to sites with multiple administrators and those that have not applied patches or mitigations. No direct impact on availability is noted, but indirect effects such as site defacement or loss of data integrity are possible.

To mitigate CVE-2026-3577, organizations should immediately update the Keep Backup Daily plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should implement manual code fixes by ensuring that all user-supplied input, especially the backup title alias, is properly sanitized and escaped using WordPress security functions such as `esc_attr()` when outputting in HTML attribute contexts. Restrict administrator access strictly to trusted personnel to reduce the risk of malicious input. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit backup titles and other plugin inputs for suspicious content. Additionally, monitor administrative activity logs for unusual behavior. Consider disabling or replacing the plugin if timely patches are not available. Finally, educate administrators about the risks of stored XSS and the importance of cautious input handling.