CVE-2025-8490: 
WordPress vulnerability analysis and mitigation

The All-in-One WP Migration and Backup plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8490) discovered on August 26, 2025. This vulnerability affects all versions up to and including 7.97. The issue specifically impacts multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that exists in the Import functionality of the plugin. The root cause is insufficient input sanitization and output escaping. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating that while the vulnerability requires high privileges and is complex to exploit, it can have cross-origin impact (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

Users should update their All-in-One WP Migration and Backup plugin to a version newer than 7.97 once available. Until then, site administrators should ensure proper access controls are in place to limit administrator access and consider enabling unfiltered_html where appropriate (NVD).