CVE-2025-8490 is a stored Cross-Site Scripting (XSS) vulnerability identified in the servmask All-in-One WP Migration and Backup WordPress plugin, affecting all versions up to and including 7.97. This vulnerability arises due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the Import functionality. The flaw allows an authenticated attacker with administrator-level privileges to inject arbitrary malicious scripts into pages within a WordPress multi-site installation or installations where the unfiltered_html capability is disabled. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or further compromise of the affected site. The vulnerability is scoped to multi-site environments or those with restricted HTML filtering, limiting its reach somewhat. The CVSS v3.1 base score is 4.4 (medium severity), reflecting that exploitation requires high privileges (administrator) and no user interaction, with a network attack vector. The impact on confidentiality and integrity is low, and availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress with the All-in-One WP Migration and Backup plugin in multi-site configurations or with unfiltered_html disabled, this vulnerability poses a moderate risk. Successful exploitation could allow an attacker with admin access to inject malicious scripts that execute in the context of other users, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of users. This could lead to data breaches, defacement, or lateral movement within the WordPress environment. While the requirement for administrator privileges limits the attack surface, insider threats or compromised admin accounts could leverage this vulnerability. Given the widespread use of WordPress across European businesses, especially in sectors like media, education, and small-to-medium enterprises, the vulnerability could impact the confidentiality and integrity of web applications and their data. Multi-site installations, common in large organizations or managed service providers, are particularly at risk. The absence of known exploits reduces immediate risk, but the medium severity score indicates that timely remediation is advisable to prevent potential exploitation.

European organizations should prioritize the following mitigation steps: 1) Immediately audit WordPress installations to identify the use of the All-in-One WP Migration and Backup plugin, focusing on multi-site setups and configurations with unfiltered_html disabled. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 3) Monitor and review import operations and plugin usage logs for suspicious activity indicative of attempted script injection. 4) Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 5) Until an official patch is released, consider disabling or restricting the Import functionality in the plugin or temporarily deactivating the plugin in high-risk environments. 6) Educate administrators on the risks of XSS and the importance of cautious plugin management. 7) Regularly update WordPress core and plugins to incorporate security fixes once available. 8) Employ web application firewalls (WAFs) with rules tuned to detect and block XSS attempts targeting WordPress plugins.