In early 2025, security researchers uncovered a serious vulnerability—CVE-2025-26779—in a popular backup plugin called Keep Backup Daily made by Fahad Mahmood. This flaw, known as an "Improper Limitation of a Pathname to a Restricted Directory" or simply Path Traversal, can let attackers read, write, or even delete files outside the intended folder, potentially leading to full server compromise.
Keep Backup Daily, used by thousands to automate their website backups, had this bug in all versions up to 2.1.. Let’s break down what happened, how attackers can exploit it, and how you can protect yourself.
Understanding the Flaw
In simple terms, a path traversal vulnerability occurs when a program does not properly check user input in filenames or paths. If someone manipulates the filename—commonly with ../ (dot-dot-slash) sequences—they can "break out" of the intended directory and get to sensitive files elsewhere.
Suppose an application lets you download your backup files by requesting /download.php?file=backup.zip. If the application just plops the value of file into its path without checks, an attacker could instead pass in something like ../../../../etc/passwd and grab private system files (on Unix/Linux systems).
Exploit Details
Here's the core code snippet (simplified, based on analysis of Keep Backup Daily's codebase):
<?php
// Hypothetical file: download-backup.php
$backup_file = $_GET['file']; // User input, not validated!
$backup_dir = "/var/www/backups/"; // Intended backup folder
$file_path = $backup_dir . $backup_file; // Direct concatenation
if (file_exists($file_path)) {
header('Content-Type: application/octet-stream');
readfile($file_path);
} else {
echo "File not found!";
}
?>
See the issue? The script doesn't check if $backup_file sneaks in ../ sequences.
Let's say an attacker wants to read /wp-config.php—the sensitive WordPress config file
https://victim.com/wp-content/plugins/keep-backup-daily/download-backup.php?file=../../../../wp-config.php
The script, as coded, would grab and serve wp-config.php to the attacker, leaking database credentials and secret keys.
This technique works for any file the webserver user can read, including /etc/passwd, logs, other users' data, etc.
Reference Links
- CVE-2025-26779 at NVD
- Keep Backup Daily WordPress Plugin
- OWASP Path Traversal Cheat Sheet
Full Compromise: With wp-config in hand, hackers can often take over your website.
- Wiping or Tampering: Depending on permissions, an attacker might delete or replace your files—wrecking your site.
Update Immediately: The plugin authors patched this in later versions, so upgrade past 2.1. now.
2. Sanitize Input: Only allow known-safe filenames, and reject any that contain ../ or start with /.
3. Use Path Functions: Use realpath() and check if the file is within the allowed backup folder. Example:
die("Invalid request.");
}
Reported: Early 2025
- Patched: Version 2.1.1 (check changelog)
- Public Disclosure: As CVE-2025-26779
Final Notes
This vulnerability reminds us that never trust user input—especially when it’s used to access files. If you use Keep Backup Daily or similar plugins, make sure to keep them up to date and do a periodic security checkup on your website.
Spread the word: These simple coding mistakes are still common, but they’re easy to prevent once you know how.
Stay safe, and back up responsibly!
*If you want to test your site for this bug, always do it on a staging environment and with permission. For more info, see the WordPress plugin security guidelines.*
Timeline
Published on: 02/16/2025 23:15:11 UTC