Keep Backup Daily plugin allows attackers to inject malicious scripts in WordPress backup titles

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.4

Keep Backup Daily plugin allows attackers to inject malicious scripts in WordPress backup titles

CVE-2026-3577

Summary

The Keep Backup Daily plugin for WordPress is vulnerable to a type of attack that allows an attacker to inject malicious code into backup titles. This can happen if an attacker has Administrator-level access and views the backup list page. To fix this, update the plugin to a version that is not vulnerable, or consider disabling the plugin until an update is available.

Original title

Original description

The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page.

nvd CVSS3.1 4.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026