WP-Safety

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Security & Risk Analysis

wordpress.org/plugins/1-click-migration

Free WordPress migration plugin for backup, restore, clone, and site transfer with zero downtime. Migrate WordPress site easily.

400 active installs v2.5.3 PHP 7.4+ WP 4.0+ Updated Mar 13, 2026
clone-wordpresswordpress-backupwordpress-migrationwordpress-restorewordpress-site-transfer
71
B · Generally Safe
CVEs total4
Unpatched1
Last CVEMay 8, 2025
Plugin page Download
Safety Verdict

Is 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Safe to Use in 2026?

Mostly Safe

Score 71/100

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: May 8, 2025Updated 20d ago
Risk Assessment

The '1-click-migration' plugin v2.5.5 exhibits a mixed security posture with several concerning areas despite some good practices. While a high percentage of outputs are properly escaped and a decent number of SQL queries utilize prepared statements, the presence of unprotected AJAX handlers is a significant risk. These two entry points without authentication checks could allow unauthenticated users to trigger potentially sensitive operations, especially given the plugin's function of migration which often involves file handling and data manipulation. The taint analysis also flagged a flow with an unsanitized path, which, while not rated critical or high in severity in this specific analysis, points to a potential for path traversal vulnerabilities if not carefully handled. The plugin's vulnerability history is a major red flag. With four known CVEs, including one high-severity unpatched vulnerability, and common patterns of unrestricted file uploads and information exposure, this plugin has a track record of serious security flaws. This suggests a recurring pattern of insecure coding practices and a need for more robust security auditing within the development lifecycle. The use of dangerous functions like `proc_open` and `unserialize` further heightens the risk profile, as these functions can be leveraged in various exploit chains if not meticulously secured.

Key Concerns

  • Unpatched high severity CVE
  • Unprotected AJAX handlers
  • Unsanitized path in taint flow
  • Dangerous function: unserialize
  • Dangerous function: proc_open
  • Dangerous function: preg_replace(/e)
  • Bundled library: Guzzle
Vulnerabilities
4

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Security Vulnerabilities

CVEs by Year

4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-3455high · 8.8Unrestricted Upload of File with Dangerous Type

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

May 8, 2025 Patched in 2.3 (182d)
CVE-2025-32257medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure

Apr 4, 2025Unpatched
CVE-2024-13555medium · 5.3Cross-Site Request Forgery (CSRF)

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Cross-Site Request Forgery to Backup Process Cancellation

Feb 17, 2025 Patched in 2.3 (262d)
CVE-2024-13609medium · 5.9Exposure of Sensitive Information to an Unauthorized Actor

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php

Feb 17, 2025 Patched in 2.3 (262d)
Code Analysis
Analyzed Mar 16, 2026

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Code Analysis

Dangerous Functions
5
Raw SQL Queries
21
20 prepared
Unescaped Output
10
79 escaped
Nonce Checks
5
Capability Checks
9
File Operations
50
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

proc_openreturn proc_open($cmd, $descriptorspec, $pipes, $cwd, $env, $other_options);inc\db\class-ocm-db-import.php:161
unserialize$unserialized_string = @unserialize( $serialized_string );inc\db\class-ocm-db.php:411
preg_replace(/e)preg_replace( "/([\340-\357])([\200-\277])([\200-\277])/e"inc\db\class-ocm-search-replace-db.php:932
preg_replace(/e)preg_replace( "/([\300-\337])([\200-\277])/e"inc\db\class-ocm-search-replace-db.php:937
unserializeif( is_string( $data ) ) $unserialized = @unserialize( $data );inc\db\class-ocm-search-replace-db.php:571

Bundled Libraries

Guzzle

SQL Query Safety

49% prepared41 total queries

Output Escaping

89% escaped89 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
get_excluded_folders (inc\backup\class-ocm-backup.php:2073)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 2

authwp_ajax_ocm_restart_failed_processone-click-migration.php:89
authwp_ajax_ocm_make_paymentone-click-migration.php:114

REST API Routes 2

GET/wp-json/ocm/v1/progress/one-click-migration.php:95
GET/wp-json/ocm/v1/bucket_exists/one-click-migration.php:105
WordPress Hooks 12
actionadmin_menuone-click-migration.php:85
actionadmin_initone-click-migration.php:86
actionadmin_enqueue_scriptsone-click-migration.php:87
actionadmin_post_start_backupone-click-migration.php:88
actionadmin_post_start_restoreone-click-migration.php:90
actionadmin_post_cancel_actionsone-click-migration.php:91
actionplugins_loadedone-click-migration.php:92
actionplugins_loadedone-click-migration.php:93
actionrest_api_initone-click-migration.php:94
actionrest_api_initone-click-migration.php:104
actionadmin_noticesone-click-migration.php:115
actiontemplate_redirectone-click-migration.php:700
Maintenance & Trust

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version7.4
Downloads23K

Community Trust

Rating90/100
Number of ratings35
Active installs400
Alternatives

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Alternatives

Backup, Restore and Migrate your sites with XCloner

Backup, Restore and Migrate your sites with XCloner

xcloner-backup-and-restore

B
76

XCloner is a backup plugin that allows you to safely back up and restore your WordPress sites. You can send site backups to SFTP, Dropbox, Amazon, Goo &hellip;

10K 16 CVEs
WebToffee WP Backup and Migration

WebToffee WP Backup and Migration

wp-migration-duplicator

A
97

Easily backup, restore, or migrate. Supports one-click backup and scheduled backup. Backup selected content to Amazon S3, Google Drive, FTP/SFTP, etc.

6K 7 CVEs
Transferito: WP Migration

Transferito: WP Migration

transferito

A
100

The easiest 1-Click WordPress Migration plugin that will migrate, clone, transfer and move your WordPress site to any host in seconds.

500 No CVEs
SEInc Backup

SEInc Backup

seinc-backup

A
92

A simple WordPress backup plugin for creating and managing backups of your WordPress site to custom folder path.

0 No CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Developer Profile

1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone Developer Profile

1clickmigration

1 plugin · 400 total installs

59
trust score
Avg Security Score
71/100
Avg Patch Time
235 days
View full developer profile
Detection Fingerprints

How We Detect 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/1-click-migration/css/jquery-ui.css/wp-content/plugins/1-click-migration/css/multiselect.css/wp-content/plugins/1-click-migration/css/admin-style.css/wp-content/plugins/1-click-migration/js/jquery.md5.min.js/wp-content/plugins/1-click-migration/js/jquery-ui.js/wp-content/plugins/1-click-migration/js/admin-script.js
Script Paths
/wp-content/plugins/1-click-migration/js/jquery.md5.min.js/wp-content/plugins/1-click-migration/js/jquery-ui.js/wp-content/plugins/1-click-migration/js/admin-script.js
Version Parameters
1-click-migration/css/admin-style.css?ver=1-click-migration/js/jquery.md5.min.js?ver=1-click-migration/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ocm-user-emailocm-user-passwordhiddenui-dialogui-dialog-titlebarui-dialog-contentui-widgetui-widget-content+59 more
Data Attributes
data-ocm-emaildata-ocm-passworddata-ocm-backup-startdata-ocm-restore-startdata-ocm-cancel-actiondata-ocm-restart-failed+1 more
JS Globals
OCMocm_admin_md5
REST Endpoints
/wp-json/ocm/v1/progress//wp-json/ocm/v1/bucket_exists/
FAQ

Frequently Asked Questions about 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone