All-in-One WP Migration and Backup < 7.98 – Admin+ Stored XSS | CVE 2025-8490 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the Import due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

all-in-one-wp-migration

Fixed in 7.98

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/85930893-d415-4131-bcda-54a20644eddc

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jack Pas (Dark.)

Verified

No

WPVDB ID

d221c139-5e3a-4475-95b1-7b2a77e9de3a

Timeline

Publicly Published

2025-08-26 (about 8 months ago)

Added

2025-08-26 (about 8 months ago)

Last Updated

2025-08-26 (about 8 months ago)

Other

Published

Title

Published

2025-01-06

Title

GDY Modular Content < 0.9.93 - Reflected Cross-Site Scripting

Published

2025-05-27

Title

Ivory Search < 5.5.10 - Admin+ Stored XSS

Published

2023-11-15

Title

Add Widgets to Page <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php

Published

2025-10-09

Title

Survey Maker < 5.1.8.9 - Unauthenticated Stored Cross-Site Scripting