CVE-2025-8490 in All-in-One WP Migration and Backup Plugin
Summary
by MITRE • 08/27/2025
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Import in all versions up to, and including, 7.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability identified as CVE-2025-8490 affects the All-in-One WP Migration and Backup plugin for WordPress, specifically targeting versions up to and including 7.97. This represents a critical security flaw that undermines the integrity of WordPress installations, particularly those operating in multi-site configurations. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's import functionality, creating a pathway for malicious code injection that can persist across user sessions.
The technical flaw manifests through stored cross-site scripting vulnerabilities that occur when the plugin processes imported data without proper validation. Attackers with administrator-level privileges can exploit this weakness to inject malicious scripts into the WordPress environment, which will execute whenever any user accesses the compromised pages. This stored nature of the vulnerability means that the malicious code remains persistent within the system until manually removed, potentially affecting all users who encounter the compromised content. The vulnerability specifically impacts multi-site installations and systems where the unfiltered_html capability has been disabled, indicating that the security context of the target environment significantly influences the exploitability of this flaw.
From an operational perspective, this vulnerability poses substantial risk to WordPress administrators and their users, as it allows for persistent malicious code execution that can be leveraged for various attack vectors including credential theft, session hijacking, and data exfiltration. The requirement for administrator-level access to exploit this vulnerability does not diminish its severity, as compromising administrative accounts typically provides attackers with broad system access. The impact extends beyond immediate script execution to potentially enable further exploitation through privilege escalation or lateral movement within the compromised environment, making this vulnerability particularly dangerous in enterprise or high-security WordPress deployments.
The vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and can be mapped to ATT&CK technique T1566.001 for initial access through malicious content. Organizations should immediately implement mitigation strategies including updating to the latest plugin version, applying the vendor-supplied patch, and implementing additional security measures such as restricting administrator privileges, monitoring for suspicious import activities, and conducting regular security audits. Network segmentation and web application firewalls can provide additional layers of protection, while user education regarding suspicious file imports and the importance of maintaining current software versions remains crucial for overall security posture. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly in content management systems where user-generated content processing is common.