The BackWPup WordPress plugin prior to 4.0.4 does not prevent visitors from leaking key information about ongoing backups, allowing unauthenticated malicious users to download backups of a site's database.