Backups visible on the web?

This is a serious issue. I recommend everyone to review the plugin configuration and change the Local folder path. Adding a longer random string at the end should do the trick.

The plugin author has to initialize the path on initialization with a not guessable value. Or even use a path which is not web-readable at all.

The logfile exposes existence of the vulnerability. Also consider censoring the exact path in the log output so users do not accidentally publish their site configuration.

Thanks for the input guys. I am working on version 2.1 of the plugin and am addressing this issue.