PLUGIN SECURITY
Is All-in-One WP Migration and Backup safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the All-in-One WP Migration and Backup WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
all-in-one-wp-migration - Requires PHP: 5.3+
- Max supported PHP (analyzed): <8.0
Known vulnerabilities
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.41 [CVE-2021-24216, All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE, All-in-One WP Migration <= 7.40 - Authenticated (Admin+) Arbitrary File Upload]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.59 [CVE-2022-1476, WordPress All in One WP Migration plugin <= 7.58 - Directory Traversal to File Deletion on Windows Hosts vulnerability, All-in-One WP Migration < 7.59 - Admin+ File Deletion on Windows Hosts via Path Traversal, All-in-One WP Migration <= 7.58 - Directory Traversal to File Deletion on Windows Hosts]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.15 [WordPress All-in-One WP Migration plugin <= 7.14 - Arbitrary Backup Download vulnerability]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.0 [WordPress All-in-One WP Migration plugin <= 6.97 - Cross-Site Scripting (XSS) vulnerability (admin backend)]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 2.0.5 [WordPress Migration Plugin <= 2.0.4 - Unauthenticated Database Export]
+ 15 more known vulnerabilities
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.63 [CVE-2022-2546, WordPress All-in-One WP Migration plugin <= 7.62 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability, All-in-One WP Migration <= 7.62 - Unauthenticated Reflected Cross-Site Scripting, All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.15 [All-in-One WP Migration < 7.15 - Arbitrary Backup Download]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.0 [All-in-One WP Migration < 7.0 - Authenticated Cross-Site Scripting (XSS)]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 6.46 [All-in-One WP Migration < 6.46 - Reflected Cross-Site Scripting (XSS)]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 2.0.5 [All-in-One WP Migration < 2.0.5 - Unauthenticated Database Export]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.63 [All-in-One WP Migration <= 7.62 - Authenticated (Admin+) Cross-Site Scripting]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.15 [All-in-One WP Migration <= 7.14 - Unauthenticated Backup Download]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.0 [All-in-One WP Migration <= 6.97 - Authenticated Stored Cross-Site Scripting]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 6.46 [All-in-One WP Migration <= 6.45 - Reflected Cross-Site Scripting]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 2.0.5 [All-in-One WP Migration <= 2.0.4 - Missing Authorization to Database Export]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 2.0.3 [All-in-One WP Migration <= 2.0.2 - Authorization Bypass to Arbitrary File Upload]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.87 [CVE-2024-8852, WordPress All-in-One WP Migration Plugin <= 7.86 is vulnerable to Sensitive Data Exposure, All-in-One WP Migration and Backup <= 7.86 - Unauthenticated Information Disclosure via Error Logs]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.87 [CVE-2024-9162, All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection, WordPress All-in-One WP Migration Plugin <= 7.86 is vulnerable to PHP Object Injection]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.90 [CVE-2024-10942, WordPress All-in-One WP Migration Plugin <= 7.89 is vulnerable to PHP Object Injection, All in One WP Migration <= 7.89 - Unauthenticated PHP Object Injection, EUVD-2025-6287]
- All-in-One WP Migration and Backup [all-in-one-wp-migration] < 7.98 [CVE-2025-8490, All-in-One WP Migration and Backup <= 7.97 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import, EUVD-2025-25952]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- UpdraftPlus: WP Backup & Migration Plugin — 3000000+ active installs — max PHP <8.0
- Jetpack – WP Security, Backup, Speed, & Growth — 3000000+ active installs
- Yoast Duplicate Post — 3000000+ active installs — max PHP 8.4
- Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More — 1000000+ active installs — max PHP <8.0
- ManageWP Worker — 1000000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.