CVE-2025-8490 is a stored Cross-Site Scripting (XSS) vulnerability affecting the All-in-One WP Migration and Backup plugin for WordPress, developed by servmask. This vulnerability exists in all versions up to and including 7.97. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the Import functionality. The flaw allows an authenticated attacker with administrator-level privileges to inject arbitrary malicious scripts into pages within WordPress multi-site installations or installations where the 'unfiltered_html' capability has been disabled. When other users access these injected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires high privileges (administrator access) and does not require user interaction beyond visiting the compromised page. The CVSS v3.1 base score is 4.4 (medium severity), reflecting a network attack vector, high attack complexity, high privileges required, no user interaction, and a scope change with low confidentiality and integrity impact but no availability impact. No known exploits are reported in the wild as of the publication date (August 26, 2025). There is no patch link provided, indicating that a fix may not yet be available or publicly disclosed. The vulnerability specifically affects multi-site WordPress installations or those with restricted HTML capabilities, limiting its scope somewhat but still posing a risk in environments where these configurations are common.

For European organizations, the impact of CVE-2025-8490 depends largely on their use of WordPress multi-site installations with the All-in-One WP Migration and Backup plugin and their configuration settings. Organizations running multi-site WordPress environments, such as universities, government agencies, large enterprises, and managed service providers, are at higher risk. Successful exploitation could allow attackers with administrator access to inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive data, or further compromise of the WordPress environment. Although exploitation requires administrator privileges, insider threats or compromised administrator accounts could leverage this vulnerability to escalate attacks. The vulnerability could undermine trust in web portals and intranets, disrupt business operations, and lead to data breaches involving personal or confidential information. Given the widespread use of WordPress in Europe and the popularity of the All-in-One WP Migration plugin, the vulnerability could affect a significant number of organizations, especially those with complex multi-site setups. However, the medium CVSS score and requirement for high privileges reduce the likelihood of widespread exploitation by external attackers without prior access.

European organizations should take the following specific mitigation steps: 1) Immediately audit WordPress environments to identify multi-site installations using the All-in-One WP Migration and Backup plugin, especially versions up to 7.97. 2) Restrict administrator access strictly to trusted personnel and implement strong multi-factor authentication to reduce the risk of compromised admin accounts. 3) Where possible, enable the 'unfiltered_html' capability to trusted users only or review configurations that disable it, as this setting affects exploitability. 4) Monitor and review import operations and plugin usage logs for suspicious activity indicative of script injection attempts. 5) Apply any available patches or updates from servmask as soon as they are released; if no patch is available, consider temporarily disabling the plugin or restricting its use in multi-site environments. 6) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads targeting the import functionality. 7) Educate administrators on the risks of XSS and the importance of cautious plugin management and input validation. 8) Regularly backup WordPress sites and test restoration procedures to recover quickly from potential compromises.