WP-Safety

JetBackup – Backup, Restore & Migrate Security & Risk Analysis

wordpress.org/plugins/backup

Backup, restore, and migrate WordPress sites fast. Supports TAR, remote backups, multi schedules, and full multisite compatibility.

100K active installs v3.1.20.3 PHP 7.4+ WP 6.0+ Updated Mar 31, 2026
backupremote-backuprestore
82
B · Generally Safe
CVEs total10
Unpatched0
Last CVEApr 16, 2026
Plugin page Download
Safety Verdict

Is JetBackup – Backup, Restore & Migrate Safe to Use in 2026?

Mostly Safe

Score 82/100

JetBackup – Backup, Restore & Migrate is generally safe to use. 10 past CVEs were resolved.

10 known CVEsLast CVE: Apr 16, 2026Updated 1mo ago
Risk Assessment

This plugin exhibits a mixed security posture, with several positive indicators but also significant areas of concern. The code analysis reveals a substantial attack surface with two AJAX handlers, both lacking authentication checks. This is a critical weakness, as it allows any unauthenticated user to potentially trigger these handlers, leading to unauthorized actions. While the plugin demonstrates good practices in other areas, such as a high percentage of prepared statements for SQL queries and properly escaped output, the unprotected entry points are a glaring vulnerability. The taint analysis shows no critical or high severity flows with unsanitized paths, which is a positive sign. However, the presence of dangerous functions like `unserialize`, `exec`, and `shell_exec`, even if not currently exploited in taint flows, indicates potential for future severe vulnerabilities if input is not meticulously handled. The plugin's vulnerability history is concerning, with a total of 9 known CVEs, including a past critical vulnerability. The common types of vulnerabilities like XSS, unrestricted uploads, exposure of sensitive information, and missing authorization highlight a recurring pattern of security flaws. While there are currently no unpatched CVEs, the history suggests a tendency to develop vulnerabilities that require patches.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous functions (unserialize, exec, shell_exec)
  • History of 9 known CVEs
  • Past critical CVE
  • History of high severity CVEs
  • History of medium severity CVEs
  • Missing authorization vulnerability history
  • Cross-Site Request Forgery vulnerability history
  • Unrestricted upload vulnerability history
  • Exposure of sensitive information vulnerability history
  • Cross-site Scripting vulnerability history
Vulnerabilities
10 published

JetBackup – Backup, Restore & Migrate Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
2 CVEs in 2017
2017
3 CVEs in 2020
2020
1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
6

10 total CVEs

CVE-2026-4853medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter

Apr 16, 2026 Patched in 3.1.20.3 (1d)
CVE-2023-7165critical · 9.8Exposure of Sensitive Information to an Unauthorized Actor

JetBackup <= 2.0.9.7 - Sensitive Information Exposure via Directory Listing

Feb 2, 2024 Patched in 2.0.9.9 (6d)
CVE-2022-34148medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Backup Guard <= 1.6.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 27, 2022 Patched in 1.6.9.1 (453d)
CVE-2021-24155high · 7.2Unrestricted Upload of File with Dangerous Type

Backup Guard <= 1.5.9 - Authenticated Arbitrary File Upload

Feb 18, 2021 Patched in 1.6.0 (1069d)
CVE-2020-36668medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

JetBackup – WP Backup, Migrate & Restore <= 1.4.0 - Sensitive Information Disclosure

Jul 30, 2020 Patched in 1.4.1 (1272d)
CVE-2020-36667medium · 5.4Missing Authorization

JetBackup – WP Backup, Migrate & Restore <= 1.4.1 - Missing Authorization to Unauthorized Backup Location Change

Jul 30, 2020 Patched in 1.4.1 (1272d)
CVE-2020-36669high · 8.8Cross-Site Request Forgery (CSRF)

JetBackup – WP Backup, Migrate & Restore <= 1.3.9 - Cross-Site Request Forgery to Arbitrary File Upload

Jul 16, 2020 Patched in 1.4.0 (1286d)
CVE-2017-10837medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BackupGuard <= 1.1.46 - Reflected Cross-Site Scripting

Aug 24, 2017 Patched in 1.1.47 (2343d)
CVE-2017-18488medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Backup Guard <= 1.1.46 - Cross-Site Scripting

Aug 11, 2017 Patched in 1.1.47 (2356d)
WF-7ee267ff-b650-44a5-994b-3a22d34722e8-backuphigh · 8.8Unrestricted Upload of File with Dangerous Type

WordPress Backup and Migrate Plugin – Backup Guard < 1.0.3 - Arbitrary File Upload

Feb 15, 2016 Patched in 1.0.3 (2899d)
Version History

JetBackup – Backup, Restore & Migrate Release Timeline

v3.1.20.3Current13 files changed
v3.1.19.81 CVE41 files changed
CVE-2026-4853
v3.1.18.101 CVE
CVE-2026-4853
v3.1.18.91 CVE
CVE-2026-4853
v3.1.18.81 CVE24 files changed
CVE-2026-4853
v3.1.17.51 CVE16 files changed
CVE-2026-4853
v3.1.16.11 CVE4 files changed
CVE-2026-4853
v3.1.15.41 CVE12 files changed
CVE-2026-4853
v3.1.14.171 CVE19 files changed
CVE-2026-4853
v3.1.13.41 CVE15 files changed
CVE-2026-4853
v3.1.12.31 CVE23 files changed
CVE-2026-4853
v3.1.11.11 CVE22 files changed
CVE-2026-4853
v3.1.10.71 CVE23 files changed
CVE-2026-4853
v3.1.9.21 CVE140 files changed
CVE-2026-4853
v3.1.7.91 CVE
CVE-2026-4853
v2.0.9.151 CVE
CVE-2026-4853
v2.0.9.141 CVE
CVE-2026-4853
v2.0.9.111 CVE
CVE-2026-4853
v2.0.9.91 CVE
CVE-2026-4853
v2.0.9.72 CVEs
CVE-2023-7165 CVE-2026-4853
Code Analysis
Analyzed Mar 16, 2026

JetBackup – Backup, Restore & Migrate Code Analysis

Dangerous Functions
9
Raw SQL Queries
3
38 prepared
Unescaped Output
31
738 escaped
Nonce Checks
1
Capability Checks
6
File Operations
297
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = $jetbackup_config ? unserialize(Crypt::decrypt($jetbackup_config, DB_PASSWORD)) : [];src\JetBackup\Config\Config.php:185
unserialize$this->_insertAdminUser( (array) unserialize( $admin_user ));src\JetBackup\Cron\Task\Restore.php:747
unserialize$session_tokens = unserialize($user->session_tokens);src\JetBackup\Cron\Task\Restore.php:847
unserializecase (($unserialized = @unserialize($data, ['allowed_classes' => false])) !== false || $data == 'b:0src\JetBackup\Cron\Task\Restore.php:1240
execelse exec($cmd, $o, $code);src\JetBackup\IO\Execute.php:39
shell_exec$o = shell_exec($cmd);src\JetBackup\IO\Execute.php:47
proc_open$process = proc_open(src\JetBackup\IO\Process.php:97
unserialize$data = $contents ? @unserialize($contents) : false;src\JetBackup\ResumableTask\ResumableTask.php:48
unserialize$data = $contents ? @unserialize($contents) : false;src\JetBackup\ResumableTask\ResumableTask.php:68

SQL Query Safety

93% prepared41 total queries

Output Escaping

96% escaped769 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
__construct (src\JetBackup\3rdparty\phpseclib3\System\SSH\Agent.php:119)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

JetBackup – Backup, Restore & Migrate Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_jetbackup_apisrc\JetBackup\Wordpress\Init.php:122
authwp_ajax_jetbackup_heartbeatsrc\JetBackup\Wordpress\Init.php:126
WordPress Hooks 18
actioninitbackup.php:26
actioninitbackup.php:27
actionupgrader_process_completebackup.php:29
filteradmin_body_classbackup.php:30
actionadmin_bar_menubackup.php:32
filterplugin_action_links_backup/backup.phpbackup.php:40
filterplugin_row_metabackup.php:48
filtersite_transient_update_pluginsbackup.php:56
filterpre_wp_cache_getsrc\JetBackup\Cache\CacheHandler.php:39
filterpre_transient_*src\JetBackup\Cache\CacheHandler.php:40
filterpre_site_transient_*src\JetBackup\Cache\CacheHandler.php:41
actionelementor/initsrc\JetBackup\Integrations\Vendors\Elementor.php:22
actionwp_loadedsrc\JetBackup\Wordpress\Init.php:95
actionwp_loadedsrc\JetBackup\Wordpress\Init.php:96
actionnetwork_admin_menusrc\JetBackup\Wordpress\Init.php:117
actionadmin_menusrc\JetBackup\Wordpress\Init.php:121
actionadmin_footersrc\JetBackup\Wordpress\Init.php:125
actionadmin_noticessrc\JetBackup\Wordpress\Init.php:161
Maintenance & Trust

JetBackup – Backup, Restore & Migrate Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0
Last updatedMar 31, 2026
PHP min version7.4
Downloads4.2M

Community Trust

Rating90/100
Number of ratings1,051
Active installs100K
Alternatives

JetBackup – Backup, Restore & Migrate Alternatives

Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

700K 5 CVEs
BackWPup – WordPress Backup & Restore Plugin

BackWPup – WordPress Backup & Restore Plugin

backwpup

B
83

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 11 CVEs
WP STAGING – WordPress Backup, Restore & Migration

WP STAGING – WordPress Backup, Restore & Migration

wp-staging

A
95

Backup, restore, staging, and migration for WordPress. Create full-site backups and test updates safely. 100% Unit Tested.

100K 4 CVEs
WP Umbrella: Update Backup Restore & Monitoring

WP Umbrella: Update Backup Restore & Monitoring

wp-health

A
97

Everything you need to sell WordPress maintenance and manage multiple sites effortlessly: backup, update, uptime monitoring, and security.

60K 1 CVE
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

A
89

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution &hellip;

50K 7 CVEs
Developer Profile

JetBackup – Backup, Restore & Migrate Developer Profile

JetBackup

1 plugin · 100K total installs

66
trust score
Avg Security Score
82/100
Avg Patch Time
1296 days
View full developer profile
Detection Fingerprints

How We Detect JetBackup – Backup, Restore & Migrate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/backup/public/libraries/main.js/wp-content/plugins/backup/public/images/eddie-menu.svg/wp-content/plugins/backup/public/css/common.css/wp-content/plugins/backup/public/css/checkbox.min.css/wp-content/plugins/backup/public/libraries/angular-loading-bar/loading-bar.css/wp-content/plugins/backup/public/libraries/angular-moment-picker/angular-moment-picker.min.css/wp-content/plugins/backup/public/libraries/bootstrap/css/bootstrap.min.css/wp-content/plugins/backup/public/libraries/fontawesome/css/all.min.css+2 more
Script Paths
/wp-content/plugins/backup/public/libraries/main.js

HTML / DOM Fingerprints

CSS Classes
update-pluginsplugin-count
Data Attributes
data-jetbackup-url
FAQ

Frequently Asked Questions about JetBackup – Backup, Restore & Migrate