Dutch security researcher Tijme Gommers says Anchor CMS may be accidentally exposing database passwords in publicly-facing error logs. In some cases, the site’s database password may be exposed in cleartext. The error log file is meant to be private, but with the default install of AnchorCMS it is public. The default log file should be hidden from the public, but users may not be aware of the importance of this file. An attacker can easily access the log file and download a copy of the error log.
Source: https://www.bleepingcomputer.com/news/security/anchor-cms-sites-may-be-spewing-their-database-passwords/