CVE-2026-3577

Name of the Vulnerable Software and Affected Versions Keep Backup Daily plugin for WordPress versions up to and including 2.1.2

Description The Keep Backup Daily plugin for WordPress is susceptible to a Stored Cross-Site Scripting issue. This occurs because of inadequate input sanitization and output escaping. Specifically, the backup title alias, represented by the val parameter, within the update kbd bkup alias AJAX action is not properly handled. While sanitize text field() removes HTML tags during saving, it fails to encode double quotes. Consequently, backup titles are displayed in HTML attribute contexts without using esc attr(), allowing authenticated attackers with Administrator-level access or higher to inject malicious web scripts. These scripts will execute whenever another administrator views the backup list page.

Recommendations Update the Keep Backup Daily plugin to a version later than 2.1.2.