Critical XSS Flaw in Keep Backup Daily//Published on 2026-03-22//CVE-2026-3577

WP-FIREWALL SECURITY TEAM

Keep Backup Daily Stored XSS Vulnerability

Plugin Name Keep Backup Daily
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-3577
Urgency Low
CVE Publish Date 2026-03-22
Source URL CVE-2026-3577

Urgent: Stored XSS in “Keep Backup Daily” (<= 2.1.2) — What WordPress Owners Need to Know and Do Now

Date: 20 Mar, 2026
Vulnerability: Authenticated (Administrator) Stored Cross-Site Scripting (XSS) via backup title
Affected versions: Keep Backup Daily plugin <= 2.1.2
Patched in: 2.1.3
CVE: CVE-2026-3577
WP-Firewall priority: Low (CVSS 5.9) — but should not be ignored

As a WordPress security team and WordPress Web Application Firewall (WAF) vendor, we want to give you a practical, clear, and actionable breakdown of the recently disclosed stored XSS affecting the Keep Backup Daily plugin. This advisory is written for developers, site owners, and administrators who need to understand risk, detection, and mitigation from a real-world perspective — not just security-speak.

This vulnerability allows an authenticated user with administrator-level privileges to store JavaScript (or other HTML) in a backup’s title field. If that stored content is later rendered without proper sanitization, it can execute in the browser of another user (for example another administrator or editor), potentially leading to account compromise, persistent site defacement, or further exploitation (like adding backdoors, changing settings, or installing malicious plugins/themes).

Below you’ll find:
– A concise technical description
– Why it matters even with administrator-only access required
– Realistic attack scenarios and impact
– Detection methods and indicators of compromise (IoCs)
– Immediate mitigations (including WAF/virtual patching guidance and rules)
– Long-term hardening and incident response recommendations
– How WP-Firewall can help (including our free plan details and signup link)

1 — What happened (technical summary)

  • The plugin stores the value of a backup “title” without properly escaping or sanitizing it on output (and possibly input) in an admin view or other accessible page.
  • An authenticated user with administrator privileges can create a backup and put JavaScript or HTML into the title field. Because the title is stored and later rendered by the plugin’s UI without proper context-aware escaping, that content is executed in the browser of whoever views the page.
  • This is classified as a stored (persistent) XSS vulnerability. Unlike reflected XSS, stored XSS injects content that persists in the application backend (database, options, backup metadata) and is served to users later.
  • The vendor fixed this issue in version 2.1.3 by introducing proper sanitization/escaping where needed. Sites still running <= 2.1.2 remain at risk.

2 — Risk analysis and impact

At first glance, an admin-only stored XSS may sound low-risk: after all, the attacker already had admin access. But there are several realistic threat scenarios where this vulnerability is dangerous and should be remediated immediately:

  • Compromised admin account or rogue administrator: If an attacker gains access to an admin account (through credential reuse, phishing, stolen session tokens), they can plant persistent JavaScript in the backup title. That stored payload will run whenever other administrative users view the backup list or other UI that renders the title — expanding the attack to additional accounts.
  • Privilege escalation and persistence: A stored XSS payload can execute JavaScript in the context of the logged-in administrator. That allows the attacker to:
    • Harvest session cookies or authentication nonces and exfiltrate them.
    • Perform unauthorized actions via the admin UI using the victim’s rights (install plugins, change options, create new administrator users).
    • Inject backdoors into theme/plugin files (via the media editor, plugin editors, or installed file editors) — leading to full site compromise.
  • Supply-chain and multi-site exposure: On managed platforms or multi-site environments where multiple sites or users interact, stored XSS can be used to pivot between accounts and sites.
  • Reputation and SEO: Even a seemingly minor persistent script could cause redirect loops, spam injection, or stealthy ad insertion, harming SEO and user trust.

Although CVSS and some analysts mark this as “low” priority because an attacker must be admin (or the admin must be tricked into interacting with a crafted item), in practice attackers use these vectors as part of multi-step attacks that result in severe outcomes. Treat it seriously.

3 — Exploitation scenarios (high-level)

We will not publish exploit code or payloads. Below are high-level scenarios that attackers could use:

  • Scenario A: Credential reuse leads to admin compromise. Attacker logs in, creates a backup with a malicious title. Another admin later visits the backup list; the script executes in their browser, steals a session nonce, and the attacker takes over additional accounts.
  • Scenario B: Phishing + stored payload. Attacker convinces an admin to click a seemingly benign internal link (e.g., “View backups”). The admin’s session executes the stored script, which performs actions like plugin install or user creation through the admin UI automatically.
  • Scenario C: Insider threat. A disgruntled administrator plants persistent script in backup metadata to sabotage or to exfiltrate data when other admins log in.

In short: even though only admins can inject the payload, stored XSS enables lateral movement and escalation, making it a non-trivial risk.

4 — Immediate actions (triage & patching)

  1. Update the plugin to 2.1.3 or later immediately.
    • This is the fastest and most reliable fix.
  2. If you cannot update immediately (legacy compatibility, staging), then:
    • Disable the plugin temporarily if backups can be handled by another trusted plugin or hosting provider tooling.
    • Restrict who can access the backup interface — only known admin IPs or admin accounts.
    • Enable strict monitoring and intrusion detection on admin accounts.
  3. Rotate admin credentials and enable MFA:
    • Require MFA (two-factor authentication) for all administrator accounts.
    • Force password resets for admin accounts if you suspect compromise.
  4. Review backups and database entries:
    • Search for backup metadata (titles) containing “<script”, “javascript:”, or suspicious HTML entities.
    • If you find suspect entries, sanitize them or remove the corresponding backups. Export backups first to a safe location before deletion.
  5. Scan the site:
    • Run a full malware scan across uploads, themes, plugins, and database.
    • Look for recently modified files and unexpected admin users.
  6. Audit logs:
    • Check admin action logs — creation of backups, user creation, plugin installation — for suspicious timestamps and IP addresses.
  7. If an incident is confirmed:
    • Follow an incident response plan: isolate the site (maintenance mode or temporary firewall block), take a file system snapshot, preserve logs, rotate keys, restore from clean backup if required.

5 — How to detect exploitation (indicators of compromise)

Look for these signs that a stored XSS was used or attempted:

  • Backup titles or metadata in the database containing script tags or encoded JavaScript sequences:
    • Strings like “<script”, “onerror=”, “javascript:”, or suspicious encoded payloads (%3Cscript%3E).
  • Sudden changes by administrative accounts that you do not recognize (new admin users, changes to plugins/themes).
  • Unexpected outbound HTTP requests from the admin dashboard to external domains (payload exfiltration often uses remote endpoints).
  • Browser-based anomalies reported by admins:
    • Strange popups, automatic form submissions, or redirects when opening the backups page.
  • Increased 4xx/5xx errors or unusual admin UI behavior.
  • Web server logs showing POST/PUT requests to plugin endpoints with suspicious payloads.

Search the database for entries in plugin-specific tables or wp_options where backup metadata is stored. Run:

  • A database query to locate suspicious backup titles (escape appropriately before running queries on production).
  • A file integrity check to see if admin-side files were modified.

6 — WAF / Virtual patching guidance (recommended rules)

If updating immediately is not an option, a WAF (virtual patch) can reduce exposure by intercepting and blocking exploit attempts. Below are recommended rule strategies that WP-Firewall recommends and can implement for you:

  • Block suspicious inputs to plugin endpoints that handle backup creation or edit actions.
  • Sanitize or block requests with tag-like content in fields that should only contain simple text (backup title).
  • Deny requests containing suspicious patterns (e.g., “<script”, “onerror=”, “javascript:”) in POST variables or JSON payloads.
  • Limit endpoints to authenticated requests and only allow known admin sessions and IP ranges.

Example ModSecurity-style rule (conceptual):

# Block basic script tags in backup title (adjust to your WAF syntax)
SecRule REQUEST_METHOD "POST" "chain,deny,status:403,id:100001,phase:1,log,msg:'Block possible stored XSS in backup title'"
    SecRule ARGS_POST_NAMES|ARGS_NAMES "backup_title|title|backup-name" "chain"
    SecRule ARGS|REQUEST_BODY "(?:<\s*script\b|on\w+\s*=|javascript:|%3Cscript%3E)" "t:none,t:lowercase,log,deny"

Nginx+Lua or custom WAF pattern (conceptual):

-- pseudo-code: check request body for suspicious patterns in fields named 'backup_title'
local body = ngx.req.get_body_data()
if body then
  if string.match(body:lower(), '"backup_title"%s*:%s*"[^"]*<script') or
     string.match(body:lower(), 'backup_title=.*<script') then
    ngx.exit(403)
  end
end

Important notes:

  • Keep rules targeted to plugin-specific endpoints to avoid false positives.
  • Use progressive blocking: log first, then challenge (CAPTCHA), then block.
  • Block or challenge requests that include dangerous patterns in admin-facing forms or in parameters that should contain plaintext only.

WP-Firewall can deploy tuned virtual patches for this exact issue to prevent exploitation until plugin updates are applied.

7 — Hardening & best practices (beyond patching)

Patching is critical, but long-term mitigation requires hardening the environment:

  1. Principle of least privilege:
    • Reduce number of administrators. Use granular roles (Editors, Authors) where appropriate.
    • Avoid sharing admin accounts among users.
  2. Multifactor authentication:
    • Enforce MFA for all admin and high-privilege user accounts.
  3. Strong passwords and rotation:
    • Enforce strong password policies and rotate credentials after high-risk events.
  4. Role and capability audits:
    • Regularly review who has install/update plugins and access to backup UIs.
  5. Secure plugin lifecycle:
    • Only install plugins from trusted sources.
    • Keep themes and plugins up to date.
    • Remove unused plugins and themes; decommission orphaned plugins.
  6. File system and PHP hardening:
    • Disable file editing in the Dashboard (define('DISALLOW_FILE_EDIT', true);).
    • Limit write permissions to necessary directories.
  7. Monitoring and logging:
    • Centralize logging (admin events, webserver, WAF logs) and monitor for anomalous behavior.
    • Set up alerts for new admin creation, plugin installs, or large changes.
  8. Database hygiene:
    • Monitor and clean plugin-specific metadata tables for suspicious fields.
    • Be cautious about plugin features that accept arbitrary HTML input.
  9. Backups:
    • Keep off-site, versioned backups, and verify the integrity of backups.
    • Consider making backups immutable or restricted so they cannot be altered by an attacker.
  10. Staging and testing policies:
    • Test plugin updates in staging before rolling out to production, but do so quickly when a security fix is published.

8 — Incident response checklist (if you suspect exploitation)

  1. Isolate
    • Put the site into maintenance mode or firewall block while you investigate.
  2. Preserve evidence
    • Take server snapshots and preserve logs (webserver, database, WAF).
  3. Identify scope
    • Search for all occurrences of malicious payloads in plugin metadata, posts, options, user bios, and uploaded files.
  4. Remove backdoors
    • Look for new admin users, unknown themes/plugins, and modified core files. Remove or quarantine suspicious changes.
  5. Restore or remediate
    • If clean backups are available from before the incident, consider a full restore.
    • Reinstall core WordPress, themes, and plugins from clean sources where possible.
  6. Rotate secrets
    • Reset all admin account passwords, API keys, and any server-level credentials that may have been accessible.
  7. Post-incident monitoring
    • Increase monitoring, add enhanced logging and alerts, and run repeated malware scans.
  8. Postmortem
    • Document how the breach happened, lessons learned, and the steps taken to prevent recurrence.

9 — Detection rules & hunting queries (practical)

Here are some practical database and log-hunting queries — adapt carefully for your environment. Always backup and test queries on staging environments before running on production.

Search database for suspicious backup titles (SQL concept):

SELECT option_id, option_name, option_value
FROM wp_options
WHERE option_name LIKE '%backup%'
  AND (option_value LIKE '%<script%' OR option_value LIKE '%javascript:%' OR option_value LIKE '%onerror=%');

Search posts/metas for script tags (concept):

SELECT ID, post_title, post_date
FROM wp_posts
WHERE post_content LIKE '%<script%' OR post_title LIKE '%<script%';

Web server log patterns:

  • POST to plugin endpoints with request bodies containing “<script” or “onerror”.
  • Admin pages accessed from unusual IP addresses or from multiple locations in short windows.

WAF logs:

  • Requests triggering rules for script tags in POST body fields named backup_title, title, name.

10 — Why stored XSS demands attention even when it requires admin access

Two reasons:

  1. Amplification: A single compromised admin account can be used to inject persistent payloads that affect multiple accounts and persist through upgrades/changes.
  2. Real-world attack chaining: Attackers rarely stop at one vulnerability. Stored XSS is often exploited as a stepping stone to full site takeover — installing backdoors, creating stealthy admin users, or spreading to other sites and users.

Treat stored XSS in administrative contexts as a serious indicator of possible compromise vectors and act fast.

11 — How WP-Firewall protects you (and a special invite)

WP-Firewall provides managed WAF protection, continuous malware scanning, and rapid virtual patching so you can stay protected while you patch vulnerable plugins. Our protection is tuned for WordPress-specific routes and contexts, minimizing false positives and ensuring admin workflows remain usable while blocking exploit attempts.

We offer a free Basic plan that includes:

  • Managed firewall + WAF
  • Unlimited bandwidth (no extra fees)
  • Malware scanner
  • Mitigation for OWASP Top 10 risks

If you’d like to test our protection and see how virtual patching can protect your site while you schedule and test updates, sign up for our Basic (Free) plan:

Protect your site now — get started with WP-Firewall Basic

Sign up for WP-Firewall Basic (free)

Why this matters:

  • Our WAF can help block attempts that would exploit stored XSS patterns in admin-facing endpoints.
  • While you update the plugin, our virtual patches help reduce risk of lateral compromise and give you breathing room to follow full remediation steps.

(We also offer upgraded plans with automatic malware removal, advanced IP blacklisting/whitelisting, monthly security reports, automatic virtual patching, and premium add-ons for agencies and high-traffic sites.)

12 — Deployment checklist for teams (practical)

For security operators and site owners, here’s a short runbook to run through quickly:

  • Step 1: Check plugin version. If <= 2.1.2 — schedule immediate update to 2.1.3.
  • Step 2: If overnight rollout is needed, deploy WP-Firewall virtual patch to intercept potential exploit patterns on the backup endpoints.
  • Step 3: Review admin users — disable stale or unused accounts; enable MFA.
  • Step 4: Scan the database for suspicious backup titles and sanitize or remove them.
  • Step 5: Run a full site malware scan and check file change/time stamps.
  • Step 6: Rotate admin passwords and API keys if suspicious activity is detected.
  • Step 7: After remediation, monitor for at least 30 days for anomalous activity.

13 — FAQs (brief)

Q: Is it critical to update immediately?
A: Yes. The patch is simple and closes the data sanitization gap. Update to 2.1.3 as soon as possible.

Q: My site has only one admin and it’s me — is this still risky?
A: Yes. If your admin account is ever compromised, the stored payload could be used to persist and expand the attack. Also if you use shared hosting or admin sessions are accessible by others, risk increases.

Q: What if I can’t update due to compatibility?
A: Use virtual patching (WAF) and limit access to the plugin UI by IP or VPN. Treat it as a temporary measure and schedule a proper upgrade path with testing.

Q: Should I delete all backups created by the plugin?
A: Do not delete backups blindly. Export backups and inspect them. If backup metadata contains suspicious payloads in titles, remove/clean those entries. Prefer restoring from a verified clean backup if compromise is suspected.

14 — Closing thoughts

Security in WordPress is layered. Plugin vulnerabilities like this stored XSS expose how small sanitization omissions can be weaponized when combined with weak credentials, insufficient monitoring, or lack of least-privilege practices. The fastest and most reliable mitigation is to update the affected plugin to the patched version. If that’s not immediately possible, deploy a WAF/virtual patch and tighten administrative policies right away.

If you’d like professional help implementing virtual patches and continuous protection for your WordPress sites, WP-Firewall can protect your admin surfaces, block suspicious payloads, and monitor for exploitation attempts — giving you the time and confidence to deploy tested plugin updates.

Protect your WordPress environment now — update to Keep Backup Daily v2.1.3 (or later), audit your admin accounts, and consider adding WAF/virtual patching to your defense-in-depth strategy.

If you need a tailored emergency response for an active compromise, or help deploying WP-Firewall virtual patches for this precise vulnerability, our security engineers are available to assist. Sign up for our Basic (Free) plan and get immediate WAF coverage: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

Stay safe,
The WP-Firewall Security Team

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™