VM Backups <= 1.0 - CSRF to Database Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current theme.
The files will be created in the uploads directory by default, with a timestamp in their filenames, without any access restriction, leaving them exposed if an attacker guesses their path or the blog is misconfigured to allow directory listing. However they could also be sent to an arbitrary email address via the CSRF attack as well.
As the plugin uses mysql_connect(), PHP < 7 is required on the target to be able to perform the attack, however a blog using the plugin is likely to be configured this way.
Proof of Concept
The PoC will be displayed once the issue has been remediated