Does Backup Migration have any unpatched vulnerabilities?

No. All known vulnerabilities in Backup Migration have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Backup Migration compatible with WordPress 6.9.4?

According to WordPress.org data, Backup Migration 2.1.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Backup Migration compatible with PHP 5.6+?

Backup Migration requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Backup Migration updated?

Backup Migration was last updated on Feb 5, 2026. Frequent updates are generally a positive security signal.

What is Backup Migration's security score?

Backup Migration has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Backup Migration Security & Risk Analysis

wordpress.org/plugins/backup-backup

Backup Migration

100K active installs v2.1.1 PHP 5.6+ WP 4.6+ Updated Feb 5, 2026

backupbackupsmigratemigrationstaging

B · Generally Safe

CVEs total12

Unpatched0

Last CVENov 3, 2025

Plugin page Download

Safety Verdict

Is Backup Migration Safe to Use in 2026?

Mostly Safe

Score 77/100

Backup Migration is generally safe to use. 12 past CVEs were resolved. Keep it updated.

12 known CVEsLast CVE: Nov 3, 2025Updated 1mo ago

Risk Assessment

The "backup-backup" v2.1.1 plugin presents a mixed security posture. While it demonstrates good practices in output escaping (99% proper) and a high percentage of SQL queries using prepared statements (79%), significant concerns remain regarding its attack surface and historical vulnerability patterns.

The static analysis reveals a notable attack surface with 12 AJAX handlers, four of which lack authentication checks. This creates potential entry points for unauthenticated users. Furthermore, the presence of dangerous functions like `unserialize` and `exec` within the code, combined with four unsanitized taint flows, indicates a risk of deserialization vulnerabilities and potential command injection or path traversal if these functions are not handled with extreme care and proper sanitization.

The plugin's vulnerability history is a major red flag, with a total of 12 known CVEs, including 3 critical and 6 high-severity issues. The diverse types of past vulnerabilities, ranging from deserialization and path traversal to OS command injection and CSRF, suggest a pattern of insecure coding practices that have historically led to severe exploits. The fact that all past vulnerabilities are listed as 'currently unpatched' (though this contradicts the CVE count indicating 0 currently unpatched) implies a history of significant security flaws that may not have been adequately addressed or may resurface.

In conclusion, while the plugin has some positive coding habits like robust output escaping, the significant number of unprotected AJAX handlers, the use of dangerous functions, and a deeply concerning vulnerability history necessitate extreme caution. The potential for exploitation through unauthenticated access and historically prevalent vulnerability types outweighs the positive aspects, marking this plugin as high risk.

Key Concerns

Unprotected AJAX handlers
Use of dangerous functions (unserialize, exec)
Unsanitized taint flows
High number of critical/high CVEs
Diverse historical vulnerability types
SQL queries not using prepared statements

Vulnerabilities

Backup Migration Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

8 CVEs in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

12 total CVEs

CVE-2025-12394high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Backup Migration <= 1.4.9 - Information Exposure to Unauthenticated Back-up Download

Nov 3, 2025 Patched in 2.0.0 (29d)

CVE-2024-10932high · 8.8Deserialization of Untrusted Data

Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

Jan 3, 2025 Patched in 1.4.6.1 (1d)

CVE-2024-32686medium · 5.3Insertion of Sensitive Information into Log File

Backup Migration <= 1.4.3 - Information Exposure via Log Files

Apr 17, 2024 Patched in 1.4.4 (8d)

CVE-2023-6972critical · 9.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion

Dec 22, 2023 Patched in 1.4.0 (221d)

CVE-2023-6971high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir

Dec 22, 2023 Patched in 1.4.0 (221d)

CVE-2023-7002high · 7.2Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Backup Migration <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url

Dec 22, 2023 Patched in 1.4.0 (221d)

CVE-2023-6553critical · 9.8Improper Control of Generation of Code ('Code Injection')

Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution

Dec 11, 2023 Patched in 1.3.8 (232d)

CVE-2023-6271critical · 9.8Exposure of Sensitive Information to an Unauthorized Actor

Backup Migration <= 1.3.5 - Unauthenticated Sensitive Information Exposure

Dec 7, 2023 Patched in 1.3.6 (47d)

CVE-2023-6266high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure

Nov 30, 2023 Patched in 1.3.7 (243d)

WF-00274313-9079-4877-b72e-310e312aa814-backup-backupmedium · 4.3Cross-Site Request Forgery (CSRF)

Backup Migration <= 1.2.9 - Cross-Site Request Forgery

Sep 5, 2023 Patched in 1.3.0 (140d)

WF-e80a74f7-7983-4d66-a038-3c57c5d94ea1-backup-backuphigh · 7.5Insertion of Sensitive Information into Externally-Accessible File or Directory

Backup Migration <= 1.2.8 - Sensitive Information Exposure

May 10, 2023 Patched in 1.2.9 (258d)

CVE-2021-36884medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Backup Migration <= 1.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 17, 2021 Patched in 1.1.6 (797d)

Code Analysis

Analyzed Mar 16, 2026

Backup Migration Code Analysis

Dangerous Functions

Raw SQL Queries

99 prepared

Unescaped Output

971 escaped

Nonce Checks

Capability Checks

File Operations

553

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$this->values = is_array($raw) ? $raw : @unserialize($raw);analyst\src\Cache\DatabaseCache.php:47

exec@exec(BMI_CLI_EXECUTABLE . ' -f "' . $cliHandler . '" bmi_backup_cron ' . $name . ' > /dev/null &', includes\ajax.php:2465

exec@exec(BMI_CLI_EXECUTABLE . ' -f "' . $cliHandler . '" bmi_backup ' . $name . ' > /dev/null &', $res)includes\ajax.php:2467

exec@exec(BMI_CLI_EXECUTABLE . ' -f "' . $cliHandler . '" bmi_restore ' . $backupName . ' ' . $remoteTypincludes\ajax.php:3024

exec@exec(BMI_CLI_EXECUTABLE . ' -f "' . $cliHandler . '" bmi_quick_migration "' . $url . '" > /dev/nullincludes\ajax.php:3442

exec@exec('(sed "s/:/\n/g" <<< $PATH) 2>&1', $system_paths);includes\cli\php_cli_finder.php:60

exec@exec('(for i in $(ls ' . $path . ' | grep "php"); do [ -x ' . $path . '/$i ] && echo ' . $path . '/includes\cli\php_cli_finder.php:92

exec@exec($exe . ' --version 2>&1', $shell_version);includes\cli\php_cli_finder.php:129

exec@exec($exe . ' -r "echo phpversion();" 2>&1', $inline_version);includes\cli\php_cli_finder.php:153

exec@exec($exe . ' -f ' . $path_to_cli . ' 2>&1', $file_version);includes\cli\php_cli_finder.php:165

exec@exec('echo "It works!" 2>&1', $output);includes\cli\php_cli_finder.php:263

unserialize$string = @unserialize($string, ['allowed_classes' => false]);includes\database\better-restore.php:423

unserialize$unserialized = @unserialize($data, ['allowed_classes' => false]);includes\database\better-restore.php:960

unserialize$plugins = unserialize($this->seek['active_plugins']);includes\database\even-better-restore-v3.php:712

unserialize$plugins = unserialize($this->seek['active_plugins']);includes\database\even-better-restore-v4.php:753

unserializeif (is_string($data) && is_serialized($data) && ($unserialized = @unserialize($data, ['allowed_classincludes\database\search-replace.php:52

unserializeupdate_option('active_plugins', unserialize(file_get_contents($tempTheme . DIRECTORY_SEPARATOR . '.eincludes\extracter\extract.php:390

SQL Query Safety

79% prepared125 total queries

Output Escaping

99% escaped979 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

9 flows4 with unsanitized paths

restoreBackup (includes\ajax.php:2943)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Backup Migration Attack Surface

Entry Points12

Unprotected4

AJAX Handlers 12

authwp_ajax_analyst_notification_dismissanalyst\src\Mutator.php:103

authwp_ajax_inisev_installationincludes\banner\misc.php:65

authwp_ajax_inisev_installation_widgetincludes\banner\misc.php:66

authwp_ajax_backup_migrationincludes\initializer.php:171

authwp_ajax_bmip_keepaliveincludes\offline.php:29

noprivwp_ajax_bmip_keepaliveincludes\offline.php:30

noprivwp_ajax_bmip_auth_handshakeincludes\offline.php:33

authwp_ajax_bmip_auth_handshakeincludes\offline.php:34

authwp_ajax_backup_migrationincludes\offline.php:37

authwp_ajax_bmi_gdrive_bannermodules\gdrivebanner\misc.php:46

authwp_ajax_dismiss_new_bb_bannermodules\new-bb-banner\misc.php:90

authwp_ajax_inisev_reviewmodules\review\review.php:112

WordPress Hooks 41

actionwp_loadedanalyst\main.php:67

actionwp_loadedanalyst\src\Analyst.php:84

actionadmin_footeranalyst\src\Mutator.php:59

actionadmin_noticesanalyst\src\Mutator.php:77

actionadmin_enqueue_scriptsanalyst\src\Mutator.php:89

actioninitbackup-backup.php:52

actionadmin_menuincludes\banner\misc.php:110

actionadmin_menuincludes\banner\misc.php:123

actionins_global_print_carrouselincludes\banner\misc.php:165

actionbmi_pro_aws_s3_templateincludes\bodies\storage\aws.php:13

actionbmi_pro_dropbox_templateincludes\bodies\storage\dropbox.php:13

actionbmi_pro_ftp_templateincludes\bodies\storage\ftp.php:15

actionbmi_pro_google_drive_templateincludes\bodies\storage\gdrive.php:13

actionbmi_pro_wasabi_templateincludes\bodies\storage\wasabi.php:13

filterbmi_cli_enabledincludes\class-backup-method-mananger.php:208

actionwp_headincludes\initializer.php:38

actionwp_loadedincludes\initializer.php:117

actionwp_loadedincludes\initializer.php:121

actionbmi_do_backup_right_nowincludes\initializer.php:124

actionbmi_handle_cron_checkincludes\initializer.php:125

actionwp_loadedincludes\initializer.php:126

actionwp_loadedincludes\initializer.php:127

actionadmin_noticesincludes\initializer.php:128

actionadmin_initincludes\initializer.php:179

actionadmin_menuincludes\initializer.php:180

actionadmin_noticesincludes\initializer.php:181

filtersecurityninja_whitelistincludes\initializer.php:188

actionadmin_enqueue_scriptsincludes\initializer.php:196

actionadmin_enqueue_scriptsincludes\initializer.php:197

actionbmi_external_errorsincludes\initializer.php:200

actionadmin_noticesincludes\initializer.php:220

actionbmi_ajax_offlineincludes\offline.php:23

filterallowed_http_originsincludes\offline.php:40

actionadmin_footerincludes\offline.php:51

actionadmin_noticesmodules\gdrivebanner\misc.php:59

actionwp_loadedmodules\new-bb-banner\misc.php:98

actionadmin_enqueue_scriptsmodules\new-bb-banner\misc.php:251

actionadmin_noticesmodules\new-bb-banner\misc.php:252

actionwp_loadedmodules\review\review.php:121

actionadmin_enqueue_scriptsmodules\review\review.php:311

actionadmin_noticesmodules\review\review.php:312

Scheduled Events 3

bmi_do_backup_right_now

Maintenance & Trust

Backup Migration Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 5, 2026

PHP min version5.6

Downloads2.2M

Community Trust

Rating98/100

Number of ratings1,298

Active installs100K

Alternatives

Backup Migration Alternatives

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

Migrate, staging, backup WordPress, all in one.

900K 26 CVEs

WP STAGING – WordPress Backup, Restore & Migration

wp-staging

Backup, restore, staging, and migration for WordPress. Create full-site backups and test updates safely.

100K 4 CVEs

BlogVault Backup & Staging

blogvault-real-time-backup

Secure incremental backups with staging, migration, and one-click restore for WordPress. Offsite storage and easy recovery.

80K 1 CVE

InstaWP Connect – 1-click WP Staging & Migration

instawp-connect

Create a staging WordPress site from production (live site). Ideal for testing updates, version change or re-write. Sync back only the changes.

30K 15 CVEs

Backup and Staging by WP Time Capsule

wp-time-capsule

Backup and Staging by WP Time Capsule is an automated incremental backup plugin that backs up your website changes as per your schedule to Dropbox, Go …

20K 7 CVEs

Developer Profile

Backup Migration Developer Profile

Inisev

6 plugins · 620K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

480 days

View full developer profile

Detection Fingerprints

How We Detect Backup Migration

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/backup-backup/assets/css/backup-backup.css/wp-content/plugins/backup-backup/assets/js/backup-backup.js/wp-content/plugins/backup-backup/assets/js/backup-backup-dashboard.js/wp-content/plugins/backup-backup/assets/css/dashboard.css

Script Paths

/wp-content/plugins/backup-backup/assets/js/backup-backup.js/wp-content/plugins/backup-backup/assets/js/backup-backup-dashboard.js

Version Parameters

backup-backup/assets/css/backup-backup.css?ver=backup-backup/assets/js/backup-backup.js?ver=backup-backup/assets/js/backup-backup-dashboard.js?ver=

HTML / DOM Fingerprints

CSS Classes

bmi-backup-dashboardbmi-backup-containerbackup-backup-uibackup-backup-modal

HTML Comments

Data Attributes

data-bmi-actiondata-bmi-controller

JS Globals

Backup_Migration_PluginBMI_Dashboard

REST Endpoints

/wp-json/backup-backup/v1/

FAQ

Backup Migration Security & Risk Analysis

Is Backup Migration Safe to Use in 2026?

Mostly Safe

Key Concerns

Backup Migration Security Vulnerabilities

CVEs by Year

Severity Breakdown

Backup Migration Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Backup Migration Attack Surface

AJAX Handlers 12

Scheduled Events 3

Backup Migration Maintenance & Trust

Maintenance Signals

Community Trust

Backup Migration Alternatives

WPvivid — Backup, Migration & Staging

WP STAGING – WordPress Backup, Restore & Migration

BlogVault Backup & Staging

InstaWP Connect – 1-click WP Staging & Migration

Backup and Staging by WP Time Capsule

Backup Migration Developer Profile

How We Detect Backup Migration

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Backup Migration