First things first: Your site has not been hacked. We’re writing to let you know about a security fix we’ve implemented in version 7.98 of All-in-One WP Migration. While we take all security matters seriously, we want to be clear that this particular issue could only be exploited by someone who already has administrator access to your WordPress site.
Why This Update Isn’t Cause for Alarm
Here’s the simple truth: for someone to exploit this vulnerability, they would need to already be logged in as an administrator on your site. And if someone already has admin access to your WordPress site, they can already do anything they want – install plugins, change themes, modify content, or access your data. They wouldn’t need this vulnerability to cause harm.
Think of it this way: it’s like discovering that someone with the master key to your house could also open a specific window. If they already have the master key, the window doesn’t really matter – but we fixed it anyway because security is about closing every possible gap, no matter how small.
What We Fixed
In technical terms, we patched a “Stored Cross-Site Scripting (XSS)” vulnerability in our import feature. In plain English: there was a way for an administrator to potentially inject code when importing a backup file. Again, only administrators could do this, and administrators can already add code to your site through dozens of other normal WordPress features.
Do You Need to Do Anything?
We recommend updating to version 7.98 simply because it’s good practice to keep all your plugins updated. It’s like getting regular oil changes for your car – preventive maintenance that keeps everything running smoothly.
To update:
- Go to your WordPress dashboard
- Click on Plugins
- Find All-in-One WP Migration and click Update Now
That’s it! The whole process takes about 10 seconds.
Thank You to the Security Researchers
We want to thank Wordfence and security researcher Jack Pas from Black Lantern Security for bringing this to our attention through responsible disclosure. This is how the security community works together – researchers find potential issues, report them privately to developers, and we fix them before they become actual problems.
The Bottom Line
- You have not been hacked
- Your data is safe
- This could only be exploited by someone who’s already an admin (and if they’re an admin, they don’t need exploits)
- Updating is quick and easy – just good housekeeping
- We’ve seen zero evidence of anyone actually using this vulnerability
We believe in being transparent with our users, which is why we’re sharing this information. Security updates like this are routine in the WordPress world, and they show that developers and security researchers are actively working to keep your sites safe.
If you have any questions or concerns, our support team is always here to help.
Stay safe and keep building amazing things with WordPress!
The All-in-One WP Migration Team