The File Manager WordPress plugin could expose backup files if the web server had Directory Listing enabled.
The File Manager WordPress plugin, version 6.4 and lower, failed to restrict external access to the fm_backups directory with a .htaccess file. This resulted in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, which the plugin had taken.
Proof of Concept
The backup files could be found in the /wp-content/uploads/wp-file-manager-pro/fm_backup directory.