WP-Safety

WebToffee WP Backup and Migration Security & Risk Analysis

wordpress.org/plugins/wp-migration-duplicator

Easily backup, restore, or migrate. Supports one-click backup and scheduled backup. Backup selected content to Amazon S3, Google Drive, FTP/SFTP, etc.

6K active installs v1.5.8 PHP 5.6+ WP 3.3+ Updated Dec 2, 2025
backup-and-restore-wordpresscloud-backupdatabase-restorewordpress-backupwordpress-migration
97
A · Safe
CVEs total7
Unpatched0
Last CVEJan 13, 2025
Plugin page Download
Safety Verdict

Is WebToffee WP Backup and Migration Safe to Use in 2026?

Generally Safe

Score 97/100

WebToffee WP Backup and Migration has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Jan 13, 2025Updated 4mo ago
Risk Assessment

The wp-migration-duplicator plugin, version 1.5.8, exhibits a mixed security posture. While it demonstrates good practices in output escaping (91% proper) and a decent percentage of SQL queries using prepared statements (66%), several significant concerns are present. The plugin exposes a substantial attack surface with 22 AJAX handlers, a concerning 16 of which lack proper authorization checks. This, combined with 5 flows found with unsanitized paths during taint analysis, indicates a potential for unauthorized access and manipulation of plugin functionality. The presence of dangerous functions like 'unserialize' further heightens this risk if not handled with extreme care.

The vulnerability history of this plugin is a significant red flag. With a total of 7 known CVEs, all of which are currently patched, the historical pattern reveals recurring issues related to missing authorization, exposure of sensitive information, and cross-site scripting. While there are no currently unpatched vulnerabilities, the frequency and types of past vulnerabilities suggest a recurring weakness in the plugin's security implementation. This historical context, when combined with the static analysis findings, suggests that the plugin, despite some positive security indicators, has a track record of critical security flaws that users should be aware of.

In conclusion, while wp-migration-duplicator version 1.5.8 shows some commitment to secure coding practices, the high number of unprotected AJAX endpoints, potential for unsanitized path flows, and a history of medium severity vulnerabilities related to authorization and information exposure represent notable weaknesses. Users should exercise caution and ensure the plugin is kept up-to-date, and consideration should be given to the potential risks associated with its extensive unprotected entry points.

Key Concerns

  • 16 unprotected AJAX handlers
  • 5 unsanitized paths in taint analysis
  • 7 total known CVEs (all patched)
  • 7 dangerous functions (unserialize)
  • 25% of SQL queries not prepared
  • Bundled libraries (Select2, Guzzle)
Vulnerabilities
7

WebToffee WP Backup and Migration Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-24651medium · 5.3Insertion of Sensitive Information into Log File

WebToffee WP Backup and Migration <= 1.5.3 - Unauthenticated Sensitive Information Exposure

Jan 13, 2025 Patched in 1.5.4 (100d)
CVE-2024-3546medium · 4.3Missing Authorization

WordPress Backup & Migration <= 1.4.8 - Missing Authorization to Directory Traversal

Apr 22, 2024 Patched in 1.4.9 (11d)
CVE-2024-31254medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WordPress Backup & Migration <= 1.4.7 - Unauthenticated Sensitive Information Exposure

Apr 5, 2024 Patched in 1.4.8 (7d)
CVE-2023-5737medium · 4.3Missing Authorization

WordPress Backup & Migration <= 1.4.3 - Missing Authorization to Settings Update

Nov 6, 2023 Patched in 1.4.4 (78d)
CVE-2023-5738medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Backup & Migration <= 1.4.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Nov 6, 2023 Patched in 1.4.5 (78d)
CVE-2023-45636medium · 5.4Missing Authorization

WordPress Backup & Migration <= 1.4.1 - Missing Authorization to Settings and Schedule Modification

Oct 11, 2023 Patched in 1.4.2 (104d)
CVE-2023-33928medium · 4.3Missing Authorization

WordPress Backup & Migration <= 1.4.0 - Missing Authorization via wt_delete_schedule

May 24, 2023 Patched in 1.4.1 (244d)
Code Analysis
Analyzed Mar 16, 2026

WebToffee WP Backup and Migration Code Analysis

Dangerous Functions
7
Raw SQL Queries
11
21 prepared
Unescaped Output
43
419 escaped
Nonce Checks
10
Capability Checks
7
File Operations
104
External Requests
4
Bundled Libraries
2

Dangerous Functions Found

unserialize$ftree_data = !empty($cron_settings)&& isset($cron_settings['data'])&& !empty($cron_settings['data'admin\class-wp-migration-duplicator-admin.php:484
unserialize$out['data'] = unserialize($cron_listv['data']);admin\modules\export\export.php:1628
unserialize$ftp_settings = unserialize($cron_settings['data']);admin\modules\ftp\ftp.php:505
unserialize$gdrive_settings = isset($cron_settings['data']) && !empty($cron_settings['data']) ? unserialize($cradmin\modules\googledrive\googledrive.php:588
unserializeif (is_string($data) && ($unserialized = @unserialize($data)) !== FALSE) {admin\modules\import\import.php:834
unserialize$s3_settings = isset($cron_settings['data']) && !empty($cron_settings['data']) ? unserialize($cron_sadmin\modules\s3\s3.php:521
unserialize$queryParameters = unserialize($serialisedParams);admin\modules\s3\src\Signature\V4.php:93

Bundled Libraries

Select2Guzzle

SQL Query Safety

66% prepared32 total queries

Output Escaping

91% escaped462 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

17 flows5 with unsanitized paths
download_file (admin\class-wp-migration-duplicator-admin.php:499)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

WebToffee WP Backup and Migration Attack Surface

Entry Points22
Unprotected16

AJAX Handlers 22

authwp_ajax_wp_mgdp_check_authenticationadmin\class-wp-migration-duplicator-admin.php:73
authwp_ajax_wp_mgdp_populate_cloud_filesadmin\class-wp-migration-duplicator-admin.php:74
authwp_ajax_wp_mgdp_populate_popupadmin\class-wp-migration-duplicator-admin.php:75
authwp_ajax_wp_mgdp_populate_feedbackadmin\class-wp-migration-duplicator-admin.php:76
authwp_ajax_mgdp_plugin_file_treeadmin\class-wp-migration-duplicator-admin.php:77
authwp_ajax_wt_mgdp_backupsadmin\modules\backups\backups.php:27
authwp_ajax_wt-mgdp_submit_featureadmin\modules\backups\backups.php:31
authwp_ajax_wt_mgdp_exportadmin\modules\export\export.php:51
authwp_ajax_mgdp_plugin_save_scheduleadmin\modules\export\export.php:65
authwp_ajax_mgdp_plugin_save_settingsadmin\modules\export\export.php:66
authwp_ajax_mgdp_plugin_delete_scheduleadmin\modules\export\export.php:67
authwp_ajax_mgdp_get_file_sizeadmin\modules\export\export.php:68
authwp_ajax_wp_mgdp_ftp_ajaxadmin\modules\ftp\ftp.php:39
authwp_ajax_wp_mgdp_test_ftp_ajaxadmin\modules\ftp\ftp.php:40
authwp_ajax_wp_mgdp_load_ftp_backupsadmin\modules\ftp\ftp.php:50
authwp_ajax_wp_mgdp_disconnect_googledriveadmin\modules\googledrive\googledrive.php:73
authwp_ajax_wp_mgdp_check_googledrive_authenticationadmin\modules\googledrive\googledrive.php:81
authwp_ajax_wt_mgdp_importadmin\modules\import\import.php:43
authwp_ajax_mgdp_plugin_save_import_settingsadmin\modules\import\import.php:49
authwp_ajax_wp_mgdp_authenticate_s3bucketadmin\modules\s3\s3.php:85
authwp_ajax_wp_mgdp_disconnect_s3bucketadmin\modules\s3\s3.php:86
authwp_ajax_wp_mgdp_check_s3bucket_authenticationadmin\modules\s3\s3.php:87
WordPress Hooks 69
actionadmin_initadmin\class-wp-migration-duplicator-admin.php:79
actionadmin_initadmin\class-wp-migration-duplicator-admin.php:80
filterwt_mgdp_plugin_settings_tabheadadmin\modules\backups\backups.php:29
actionwt_mgdp_plugin_out_settings_formadmin\modules\backups\backups.php:30
filterwt_mgdp_plugin_settings_tabheadadmin\modules\export\export.php:58
actionwt_mgdp_plugin_out_settings_formadmin\modules\export\export.php:59
actionwt_mgdp_backups_headadmin\modules\export\export.php:60
actionwt_migrator_exlcude_filesadmin\modules\export\export.php:62
actionwt_migrator_exlcude_files_cronadmin\modules\export\export.php:63
actionadmin_enqueue_scriptsadmin\modules\export\export.php:64
actioninitadmin\modules\export\export.php:70
filtercron_schedulesadmin\modules\export\export.php:72
filterwt_mgdp_general_settings_tabheadadmin\modules\ftp\ftp.php:35
filterwt_mgdb_export_optionsadmin\modules\ftp\ftp.php:36
filterwt_mgdb_import_optionsadmin\modules\ftp\ftp.php:37
actionwt_mgdp_plugin_out_storage_settings_formadmin\modules\ftp\ftp.php:38
filterwt_mgdp_remote_adaptersadmin\modules\ftp\ftp.php:41
filterwt_mgdp_exporter_remote_adapter_namesadmin\modules\ftp\ftp.php:42
filterwt_mgdp_exporter_file_into_fields_row_idadmin\modules\ftp\ftp.php:43
actionwt_mgdp_exporter_file_into_js_fnadmin\modules\ftp\ftp.php:44
actionwt_migrator_after_export_page_contentadmin\modules\ftp\ftp.php:45
actionwt_migrator_after_export_page_content_scheduleadmin\modules\ftp\ftp.php:46
filterwtmgdp_export_outputadmin\modules\ftp\ftp.php:47
actionmgdp_after_import_formadmin\modules\ftp\ftp.php:48
filterwt_migrator_get_import_attachment_urladmin\modules\ftp\ftp.php:49
filterwt_mgdb_export_optionsadmin\modules\googledrive\googledrive.php:65
filterwtmgdp_export_outputadmin\modules\googledrive\googledrive.php:66
filterwt_mgdp_general_settings_tabheadadmin\modules\googledrive\googledrive.php:68
actionwt_mgdp_plugin_out_storage_settings_formadmin\modules\googledrive\googledrive.php:69
actionwp_loadedadmin\modules\googledrive\googledrive.php:70
actionwp_loadedadmin\modules\googledrive\googledrive.php:72
filterwt_mgdb_import_optionsadmin\modules\googledrive\googledrive.php:74
actionmgdp_after_import_formadmin\modules\googledrive\googledrive.php:75
filterwt_migrator_get_import_attachment_urladmin\modules\googledrive\googledrive.php:76
actionwt_migrator_after_export_page_content_scheduleadmin\modules\googledrive\googledrive.php:77
actionwt_migrator_after_export_page_contentadmin\modules\googledrive\googledrive.php:79
filterwt_migrator_googledrive_is_authenticatedadmin\modules\googledrive\googledrive.php:82
filterwt_migrator_googledrive_load_backupsadmin\modules\googledrive\googledrive.php:83
filterwt_mgdp_plugin_settings_tabheadadmin\modules\import\import.php:45
actionwt_mgdp_plugin_out_settings_formadmin\modules\import\import.php:46
actionwt_mgdp_backups_action_columnadmin\modules\import\import.php:47
actionwt_mgdp_backups_table_topadmin\modules\import\import.php:48
actionadmin_noticesadmin\modules\review-requiest\class-wt-migrator-plugin-review-request.php:54
actionadmin_print_footer_scriptsadmin\modules\review-requiest\class-wt-migrator-plugin-review-request.php:55
actioninitadmin\modules\review-requiest\class-wt-migrator-plugin-review-request.php:58
filterwt_mgdb_export_optionsadmin\modules\s3\s3.php:71
filterwtmgdp_export_outputadmin\modules\s3\s3.php:72
filterwt_mgdp_general_settings_tabheadadmin\modules\s3\s3.php:74
actionwt_mgdp_plugin_out_storage_settings_formadmin\modules\s3\s3.php:75
filterwt_mgdb_import_optionsadmin\modules\s3\s3.php:78
actionmgdp_after_import_formadmin\modules\s3\s3.php:79
filterwt_migrator_get_import_attachment_urladmin\modules\s3\s3.php:80
actionwt_migrator_after_export_page_contentadmin\modules\s3\s3.php:82
actionwt_migrator_after_export_page_content_scheduleadmin\modules\s3\s3.php:83
filterwt_migrator_s3bucket_is_authenticatedadmin\modules\s3\s3.php:88
filterwt_migrator_s3bucket_load_backupsadmin\modules\s3\s3.php:89
actionadmin_footeradmin\modules\uninstall-feedback\uninstall-feedback.php:24
actioninitincludes\class-wp-migration-duplicator.php:185
actionadmin_menuincludes\class-wp-migration-duplicator.php:198
actionadmin_menuincludes\class-wp-migration-duplicator.php:199
actionadmin_enqueue_scriptsincludes\class-wp-migration-duplicator.php:201
actionadmin_enqueue_scriptsincludes\class-wp-migration-duplicator.php:202
actionadmin_initincludes\class-wp-migration-duplicator.php:208
actionwp_enqueue_scriptsincludes\class-wp-migration-duplicator.php:224
actionwp_enqueue_scriptsincludes\class-wp-migration-duplicator.php:225
actionadmin_noticesincludes\class-wp-migration-non-apache-info.php:30
actionadmin_print_footer_scriptsincludes\class-wp-migration-non-apache-info.php:31
actioninitincludes\class-wp-migration-non-apache-info.php:36
actionadmin_noticeswp-migration-duplicator.php:131
Maintenance & Trust

WebToffee WP Backup and Migration Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 2, 2025
PHP min version5.6
Downloads379K

Community Trust

Rating90/100
Number of ratings49
Active installs6K
Alternatives

WebToffee WP Backup and Migration Alternatives

Backup, Restore and Migrate your sites with XCloner

Backup, Restore and Migrate your sites with XCloner

xcloner-backup-and-restore

B
76

XCloner is a backup plugin that allows you to safely back up and restore your WordPress sites. You can send site backups to SFTP, Dropbox, Amazon, Goo &hellip;

10K 16 CVEs
SEInc Backup

SEInc Backup

seinc-backup

A
92

A simple WordPress backup plugin for creating and managing backups of your WordPress site to custom folder path.

0 No CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

600K 5 CVEs
Developer Profile

WebToffee WP Backup and Migration Developer Profile

WebToffee

17 plugins · 377K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
155 days
View full developer profile
Detection Fingerprints

How We Detect WebToffee WP Backup and Migration

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-migration-duplicator/assets/css/frontend.css/wp-content/plugins/wp-migration-duplicator/assets/css/frontend_settings.css/wp-content/plugins/wp-migration-duplicator/assets/js/frontend.js/wp-content/plugins/wp-migration-duplicator/assets/js/frontend_settings.js/wp-content/plugins/wp-migration-duplicator/assets/css/admin.css/wp-content/plugins/wp-migration-duplicator/assets/js/admin.js/wp-content/plugins/wp-migration-duplicator/assets/js/vendor/bootstrap.min.js/wp-content/plugins/wp-migration-duplicator/assets/js/vendor/jquery.dataTables.min.js+153 more
Script Paths
/wp-content/plugins/wp-migration-duplicator/assets/js/frontend.js/wp-content/plugins/wp-migration-duplicator/assets/js/frontend_settings.js/wp-content/plugins/wp-migration-duplicator/assets/js/admin.js/wp-content/plugins/wp-migration-duplicator/assets/js/vendor/bootstrap.min.js/wp-content/plugins/wp-migration-duplicator/assets/js/vendor/jquery.dataTables.min.js/wp-content/plugins/wp-migration-duplicator/assets/js/vendor/sweetalert2.min.js+91 more
Version Parameters
wp-migration-duplicator/assets/css/frontend.css?ver=wp-migration-duplicator/assets/css/frontend_settings.css?ver=wp-migration-duplicator/assets/js/frontend.js?ver=wp-migration-duplicator/assets/js/frontend_settings.js?ver=wp-migration-duplicator/assets/css/admin.css?ver=wp-migration-duplicator/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wt-migration-duplicator-wrapperwebtoffee-wp-migration-duplicatorwt-migration-duplicate-backup-contentwt-migration-backup-contentwt-migration-backup-process-contentwt-migration-import-contentwt-migration-import-process-contentwt-migration-log-content
HTML Comments
<!-- wp-migration-duplicator plugin --><!-- Plugin settings --><!-- Module list --><!-- Module folder and main file must be same as that of module name -->+13 more
Data Attributes
data-plugin-name="Wp_Migration_Duplicator"data-plugin-version="1.5.8"data-plugin-textdomain="wp-migration-duplicator"data-webtoffee-support-link="https://www.webtoffee.com/support/"data-webtoffee-docs-link="https://www.webtoffee.com/wordpress-backup-migration-user-guide/"data-webtoffee-plugins-link="https://www.webtoffee.com/plugins/"
JS Globals
wt_migration_duplicator_admin_paramswt_migration_duplicator_params
FAQ

Frequently Asked Questions about WebToffee WP Backup and Migration