Stored Cross-Site Scripting Vulnerability in All-in-One WP Migration and Backup Plugin for WordPress
CVE-2025-8490

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: All-in-one WP Migration And Backup
Vendor: CVE Published:; 26 August 2025

What is CVE-2025-8490?

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the Import functionality. This vulnerability can be exploited by authenticated attackers with administrator-level access, enabling them to inject arbitrary web scripts into pages. The malicious scripts execute whenever a user visits an affected page. This issue is especially pertinent to multi-site installations and sites with unfiltered_html disabled, making it crucial for administrators to ensure their installations are updated and secured against potential exploits.

Affected Version(s)

All-in-One WP Migration and Backup * <= 7.97

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/all-in-one-wp-...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 26, 2025
Vulnerability Reserved
Aug 1, 2025

Credit

Jack Pas