{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3577", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T22:07:27.556Z", "datePublished": "2026-03-20T23:25:11.059Z", "dateUpdated": "2026-04-08T16:37:40.746Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:40.746Z"}, "affected": [{"vendor": "fahadmahmood", "product": "Keep Backup Daily", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page."}], "title": "Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a4fa4b-5c99-4347-8b34-e49f7e0972be?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/functions.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/functions.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/kbd_cron.php#L505"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/kbd_cron.php#L505"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481587%40keep-backup-daily&new=3481587%40keep-backup-daily&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "san6051"}], "timeline": [{"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:53.730774Z", "id": "CVE-2026-3577", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:55:44.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3577", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:53.730774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:54.852Z"}}], "cna": {"title": "Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title", "credits": [{"lang": "en", "type": "finder", "value": "san6051"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "fahadmahmood", "product": "Keep Backup Daily", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a4fa4b-5c99-4347-8b34-e49f7e0972be?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/functions.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/functions.php#L626"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/kbd_cron.php#L505"}, {"url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/kbd_cron.php#L505"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481587%40keep-backup-daily&new=3481587%40keep-backup-daily&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:40.746Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3577", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:40.746Z", "dateReserved": "2026-03-04T22:07:27.556Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-20T23:25:11.059Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page."}, {"lang": "es", "value": "El plugin Keep Backup Daily para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del alias del t\u00edtulo de la copia de seguridad (par\u00e1metro 'val') en la acci\u00f3n AJAX 'update_kbd_bkup_alias' en todas las versiones hasta la 2.1.2, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Aunque 'sanitize_text_field()' elimina las etiquetas HTML al guardar, no codifica las comillas dobles. Los t\u00edtulos de las copias de seguridad se muestran en contextos de atributos HTML sin 'esc_attr()'. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, inyecten scripts web arbitrarios a trav\u00e9s de la inyecci\u00f3n de atributos que se ejecutar\u00e1n cada vez que otro administrador vea la p\u00e1gina de la lista de copias de seguridad."}], "id": "CVE-2026-3577", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:28.917", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/functions.php#L626"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/tags/2.1.1/inc/kbd_cron.php#L505"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/functions.php#L626"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/keep-backup-daily/trunk/inc/kbd_cron.php#L505"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3481587%40keep-backup-daily&new=3481587%40keep-backup-daily&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a4fa4b-5c99-4347-8b34-e49f7e0972be?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Keep Backup Daily", "source": "cna", "vendor": "fahadmahmood"}, "product": "keep_backup_daily", "vendor": "fahadmahmood"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:25:57.751766+00:00", "value": {"mitigation_remediation": ["Update the Keep Backup Daily plugin to a version newer than 2.1.2 when the patch is released. If an update is not immediately available, permanently remove or renormalise any backup titles that contain suspicious characters by editing them through the WordPress admin. As an interim safety measure, limit the number of users with Administrator privileges and ensure a content security policy blocks inline scripts."], "summary": {"action": "Apply Patch", "impact": "Stored cross\u2011site scripting in admin context"}, "threat_synthesis": {"affected_systems": "All copies of the Keep Backup Daily WordPress plugin through version 2.1.2 are affected. The issue exists in the backup title alias handling in the plugin\u2019s AJAX interface. Sites running any of these versions should check the plugin version and update if possible.", "description_and_impact": "The vulnerability allows an attacker who holds Administrator or higher privileges on a WordPress site to inject arbitrary scripts via the backup title alias field during the AJAX update_kbd_bkup_alias operation. The input is stored without proper escaping, particularly missing esc_attr() when outputting the title in an HTML attribute. When another administrator views the backup list page, the injected script runs in the context of that admin\u2019s browser session, enabling cookie theft, session hijacking, or further compromise within the site.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate risk. The lack of an EPSS score means the current likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Since the flaw requires authenticated access, the risk primarily applies to sites with administrators who can alter backup titles. An attacker with such privileges could exploit the stored XSS by uploading a malicious backup title, causing client\u2011side compromise whenever another admin accesses the backup list page."}}}}, "created": "2026-03-23T09:51:41.596467+00:00", "updated": "2026-03-25T14:33:41.141652+00:00", "vendors": ["fahadmahmood", "fahadmahmood$PRODUCT$keep_backup_daily", "wordpress", "wordpress$PRODUCT$wordpress"]}