CVE-2025-8490 is a stored cross-site scripting (XSS) vulnerability identified in the servmask All-in-One WP Migration and Backup plugin for WordPress, affecting all versions up to and including 7.97. The vulnerability arises from improper input sanitization and insufficient output escaping during the import process, allowing authenticated users with administrator-level access to inject arbitrary JavaScript code into pages. This malicious code executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability specifically affects WordPress multi-site installations or those where the unfiltered_html capability is disabled, limiting its scope. The attack vector requires network access (remote), high attack complexity due to the need for administrator privileges, and no user interaction is needed once the script is injected. The vulnerability impacts confidentiality and integrity but not availability, as indicated by the CVSS vector (C:L/I:L/A:N). No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a concern for site administrators. The plugin is popular for site migration and backup tasks, often deployed in enterprise and managed hosting environments. The vulnerability was published on August 26, 2025, with a medium severity rating and a CVSS score of 4.4.

The primary impact of CVE-2025-8490 is the potential for stored XSS attacks on WordPress sites using the affected plugin in multi-site configurations or with unfiltered_html disabled. Successful exploitation allows attackers with administrator privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of legitimate users. While the vulnerability requires high privileges to exploit, the consequences can be severe in environments where multiple users access the site, including administrators and editors. This can undermine trust, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. The impact is limited to confidentiality and integrity, with no direct effect on availability. Organizations relying on this plugin for migration and backup in multi-site WordPress deployments are at risk, especially managed service providers and enterprises with complex WordPress infrastructures. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits over time.

To mitigate CVE-2025-8490, organizations should first verify if they are running the All-in-One WP Migration and Backup plugin version 7.97 or earlier in a multi-site WordPress environment or with unfiltered_html disabled. Immediate mitigation steps include: 1) Applying any available patches or updates from servmask once released; 2) Restricting administrator access to trusted personnel only, minimizing the number of users with high privileges; 3) Temporarily disabling the Import feature if possible to prevent exploitation; 4) Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the import functionality; 5) Regularly auditing user accounts and permissions to ensure no unauthorized administrators exist; 6) Monitoring logs for unusual activity related to the import process or script injections; 7) Educating administrators about the risks of importing untrusted data; 8) Considering alternative migration and backup solutions if patching is delayed. Since the vulnerability requires administrator privileges, strong multi-factor authentication (MFA) and strict access controls are critical to reduce exploitation risk.