Similar issue was discovered by Larry W. Cashdollar in similar time (you can compare file sha1 with my tweet).
json_return function doesn’t check admin privileges.
So we can view and download already created backup.
Proof of Concept:
Register as standard user using
wp-login.php?action=register then log in using
- 16-10-2014: Discovered
- 07-11-2014: Vendor notified
- 13-11-2014: Second notification