Description The plugin stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site’s backups.
1) Run a backup of the site
2) Notice the following files are all publicly available while the site is being backed up:
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_links.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_users.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_termmeta.sql
./wp-content/plugins/backup-backup/includes/htaccess/bmi_logs_this_backup.log
(... the list is not exhaustive, virtually every table accessible to the site gets dumped in those log files ...)