JetBackup < 2.0.9.9 - Directory Listing Exposing Backups

Description The plugin doesn’t use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct access to the files by only guessing the timestamp of the backup.

PoC

1. Run backup function http://your_site/wordpress/wp-admin/admin.php?page=backup_guard_backups 2) When the scan is over, the attacker must sort through the directory “/wordpress/wp-content/uploads/jetbackup/*”, after which there will be a Directory Listing vulnerability in it, which will allow pumping out all backup and all logs. This vulnerability will be available if a person names the file in a simple way.