| Plugin Name | All-in-One WP Migration |
|---|---|
| Type of Vulnerability | Authenticated Stored XSS |
| CVE Number | CVE-2025-8490 |
| Urgency | Low |
| CVE Publish Date | 2025-08-26 |
| Source URL | CVE-2025-8490 |
All-in-One WP Migration <= 7.97 — Authenticated Administrator Stored XSS (CVE-2025-8490)
Summary
- What: Authenticated (administrator) stored Cross‑Site Scripting (XSS) in All‑in‑One WP Migration (≤ 7.97). Tracked as CVE‑2025‑8490.
- Who it affects: WordPress sites running All‑in‑One WP Migration version 7.97 or older that allow administrators to import .wpress archives.
- Impact: A malicious administrator (or someone who has gained administrator privileges) can craft an import archive that stores malicious JavaScript in the database. That payload can later execute in other admin or public user contexts, allowing session theft, privilege escalation via CSRF chaining, admin UI manipulation, persistent redirects, content injection, and other stored XSS outcomes.
- Fixed in: 7.98 — update to 7.98 or later as soon as possible.
This advisory is written from a practical Hong Kong security expert perspective: clearly describe the risk, detection, and remediation steps without vendor marketing. Follow the checklist below if you operate affected sites.
Why this matters (plain language)
Stored XSS is a dangerous client‑side vulnerability: malicious code is injected and persists on your site (in the database or stored files). Any visitor or administrator who later views the affected page will execute that script in their browser. Because All‑in‑One WP Migration imports full site content, it can be abused to import HTML/JS that ends up in posts, widgets, options or other persisted storage — and if that data is not validated and escaped on output, the script runs.
Although this issue requires Administrator-level access to perform the import, that does not make the risk negligible. Administrator accounts can be obtained through credential reuse, phishing, shared credentials (agencies, contractors), compromised third‑party integrations, or chained vulnerabilities. Secure import functionality as part of basic WordPress hygiene.
Technical background — how the vulnerability works
All‑in‑One WP Migration creates and restores site archives (.wpress) that contain serialized representations of database rows, files, options, and other assets. During import, the plugin reads the archive and writes data back into WordPress persistence layers (posts, terms, options, widgets, etc.). The issue that led to CVE‑2025‑8490 is insufficient sanitization and/or improper handling of imported data: certain fields that are later rendered in admin or front‑end views were not escaped or filtered correctly before being saved and displayed.
Typical exploitation flow:
