While browsing for WordPress themes, I came across sitemile.com. After checking the technologies used on the site with Wappalyzer, I noticed the website was running WordPress.
Out of curiosity, I performed a quick scan using WPScan with the following command:
wpscan --url "https://sitemile.com/" -e vp,vt,cb,dbe --api-token XXX --rua --forceAfter the scan completed, WPScan reported an exposed SQL database file located in the web root:
[!] https://sitemile.com/localhost.sql | Found By: Direct Access (Aggressive Detection)Upon verification, the file appeared to contain a full production database dump, including website data, customer information, purchases, themes, and other sensitive records. The issue was responsibly reported shortly after discovery.
Although I never received a response, the exposed database file was removed quickly after the report was sent.
Timeline
- 26 April 2026 19:47 — Discovered exposed database dump at https://sitemile.com/localhost.sql
- 26 April 2026 20:20 — Reported the issue to the CEO
- 26 April 2026 20:43 — Verified the file had been removed and returned HTTP 404
About The Author
Leave a Reply