WordPress Plugin Vulnerabilities

JetBackup < 1.4.1 - Subscriber+ Sensitive Information Disclosure

Description

The plugin does not have authorisation in an AJAX action (with a callback to backup_guard_get_manual_modal()), allowing any authenticated users, such as subscriber to call it and retrieve database table information

Affects Plugins

Plugin icon
backup
Fixed in 1.4.1

References

CVE
CVE-2020-36668

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
1e95eace-2ea6-4bab-befb-547125070a1a

Timeline

Publicly Published
2020-07-30 (about 5 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2024-03-20
Title
Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Published
2025-11-18
Title
Quiz Maker < 6.7.0.81 - Unauthenticated Sensitive Information Exposure
Published
2023-12-28
Title
WP Stripe Checkout < 1.2.2.38 - Sensitive Information Exposure via Debug Log
Published
2026-04-06
Title
IDPay Payment Gateway for Woocommerce <= 2.2.5 - Unauthenticated Information Exposure
Published
2026-01-06
Title
ShareThis Dashboard for Google Analytics <= 3.2.4 - Unauthenticated Google Analytics Data Exposure