CVE-2026-4853 is a path traversal vulnerability in the JetBackup – Backup, Restore & Migrate WordPress plugin (up to version 3.1.19.8). The vulnerability is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin uses sanitize_text_field() which does not prevent path traversal sequences like '../'. The unsanitized filename is concatenated directly in Upload::getFileLocation() without basename() or path validation. When an invalid file is uploaded, cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the resolved directory. Authenticated attackers with administrator privileges can exploit this to delete critical directories such as wp-content/plugins, causing severe site disruption. The CVSS v3.1 score is 4.9 (medium severity), with no known exploits or official remediation available.

Successful exploitation allows an authenticated administrator to delete arbitrary directories outside the intended upload directory, including critical WordPress directories like wp-content/plugins. This results in disabling all installed plugins and causing significant disruption to the WordPress site. The vulnerability does not impact confidentiality or integrity directly but causes high availability impact by deleting essential files.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrator access to trusted users only and monitor for suspicious file upload activity. Avoid uploading files with untrusted filenames. Consider disabling or limiting the use of the vulnerable plugin if possible.