CVE-2026-4853

Name of the Vulnerable Software and Affected Versions JetBackup – Backup, Restore & Migrate versions prior to 3.1.19.9

Description Insufficient input validation on the fileName parameter in the file upload handler allows for path traversal. The plugin uses sanitize text field(), which removes HTML tags but fails to block path traversal sequences such as '../'. The Upload::getFileLocation() function concatenates this unsanitized filename without using basename() or verifying that the resolved path remains within the intended directory. Consequently, when an invalid file is uploaded, the cleanup logic applies dirname() to the traversed path and passes it to Util::rm(), which recursively deletes the resolved directory. Authenticated attackers with administrator-level access can use this to delete critical WordPress directories, such as 'wp-content/plugins', leading to severe site disruption.

Recommendations Update the plugin to a version newer than 3.1.19.8.