The WordPress plugin Duplicator

Duplicator is a WordPress plugin essentially a simple backup and site migration utility.  Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 3.8.7.1 contain an unauthenticated arbitrary file download vulnerability issue.

According to Wordfence, the 60,000 exploitation attempts that it saw within its customer telemetry were all efforts to download the wp-config.php file.