The plugin does not restrict access to a file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
The filepath in /wp-content/plugins/boldgrid-backup/cron/restore-info.json will reveal the internal path of the backup file, which might be publicly accessible. GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json { [...] "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip" [...] }
2020-12-14 (about 1 years ago)
2020-12-14 (about 1 years ago)
2020-12-15 (about 1 years ago)