Does WP STAGING – WordPress Backup, Restore & Migration have any unpatched vulnerabilities?

No. All known vulnerabilities in WP STAGING – WordPress Backup, Restore & Migration have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP STAGING – WordPress Backup, Restore & Migration compatible with WordPress 7.0?

According to WordPress.org data, WP STAGING – WordPress Backup, Restore & Migration 4.7.0 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is WP STAGING – WordPress Backup, Restore & Migration compatible with PHP 7.0+?

WP STAGING – WordPress Backup, Restore & Migration requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is WP STAGING – WordPress Backup, Restore & Migration's security score?

WP STAGING – WordPress Backup, Restore & Migration has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP STAGING – WordPress Backup, Restore & Migration Security & Risk Analysis

wordpress.org/plugins/wp-staging

Backup, restore, staging, and migration for WordPress. Create full-site backups and test updates safely.

100K active installs v4.7.0 PHP 7.0+ WP 3.6+ Updated Mar 10, 2026

backupmigrationrestorestagingwordpress-backup

A · Safe

CVEs total4

Unpatched0

Last CVEMay 28, 2024

Plugin page Download

Safety Verdict

Is WP STAGING – WordPress Backup, Restore & Migration Safe to Use in 2026?

Generally Safe

Score 95/100

WP STAGING – WordPress Backup, Restore & Migration has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: May 28, 2024Updated 23d ago

Risk Assessment

The plugin "wp-staging" v4.7.0 presents a mixed security posture. While a significant portion of its SQL queries utilize prepared statements (77%) and a good percentage of outputs are properly escaped (82%), there are concerning aspects. The most alarming is the extensive attack surface, with 107 AJAX handlers, 106 of which lack authentication checks. This wide open entry point significantly increases the risk of unauthorized access and malicious operations. The presence of dangerous functions like 'exec' and 'unserialize' also raises red flags, especially when coupled with unsanitized input paths identified in the taint analysis. Although no critical or high severity taint flows were found, the fact that all 9 analyzed flows had unsanitized paths is a strong indicator of potential vulnerabilities. The vulnerability history reveals a past with four known CVEs, including a critical one, and a recent medium-severity vulnerability discovered in May 2024. This history, combined with the static analysis findings, suggests a pattern of security weaknesses that, if not diligently addressed, could be exploited. The plugin's strengths lie in its efforts towards secure SQL practices and output escaping, but these are overshadowed by the vast unprotected AJAX endpoints and the identified unsanitized input flows.

Key Concerns

106 unprotected AJAX handlers
Presence of dangerous functions (exec, unserialize)
9 taint flows with unsanitized paths
1 critical CVE in vulnerability history
3 medium CVEs in vulnerability history
Recent vulnerability (2024-05-28)
Limited nonce checks (5)
Bundled Freemius library

Vulnerabilities

WP STAGING – WordPress Backup, Restore & Migration Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

3 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

Medium

4 total CVEs

CVE-2024-3412critical · 9.1Unrestricted Upload of File with Dangerous Type

WP STAGING WordPress Backup Plugin – Migration Backup Restore <= 3.4.3 - Authenticated (Admin+) Arbitrary File Upload

May 28, 2024 Patched in 3.5.0 (1d)

CVE-2024-4469medium · 4.7Server-Side Request Forgery (SSRF)

Migration Backup Restore <= 3.4.3 - Authenticated (Administrator+) Server-Side Request Forgery

May 10, 2024 Patched in 3.5.0 (6d)

CVE-2023-7204medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP STAGING WordPress Backup Plugin < 3.2.0 - Sensitive Information Exposure via cache files

Jan 31, 2024 Patched in 3.2.0 (78d)

CVE-2022-2737medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP STAGING – Backup Duplicator & Migration <= 2.9.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 17, 2022 Patched in 2.9.18 (524d)

Code Analysis

Analyzed Mar 16, 2026

WP STAGING – WordPress Backup, Restore & Migration Code Analysis

Dangerous Functions

Raw SQL Queries

174 prepared

Unescaped Output

307

1357 escaped

Nonce Checks

Capability Checks

File Operations

239

External Requests

Bundled Libraries

Dangerous Functions Found

exec$user = exec('whoami');Backend\Modules\SystemInfo.php:770

unserialize$unserialized = @unserialize($value);Backend\Modules\SystemInfoParser.php:440

unserialize$result = isset($result[0]['option_value']) ? unserialize($result[0]['option_value']) : [];Framework\Analytics\WithAnalyticsSiteInfo.php:216

unserialize$unserialized = @unserialize($data);Framework\Database\SearchReplace.php:225

execexec('mklink /D "' . $destination . '" "' . $source . '"');Framework\Filesystem\WpUploadsFolderSymlinker.php:91

unserialize$this->hydrate(unserialize($serialized));Framework\Job\Dto\AbstractDto.php:37

unserialize$this->hydrateProperties(unserialize($serialized));Framework\Job\Dto\AbstractTaskDto.php:12

unserializereturn @unserialize($value);Framework\Utils\DatabaseOptions.php:133

Bundled Libraries

Freemius

SQL Query Safety

77% prepared225 total queries

Output Escaping

82% escaped1664 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

9 flows9 with unsanitized paths

render (Backup\Ajax\Upload.php:90)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

106 unprotected

WP STAGING – WordPress Backup, Restore & Migration Attack Surface

Entry Points107

Unprotected106

AJAX Handlers 107

authwp_ajax_wpstg_activate_proBackend\Activation\Welcome.php:21

authwp_ajax_wpstg_scanningBackend\Administrator.php:159

authwp_ajax_wpstg_check_cloneBackend\Administrator.php:160

authwp_ajax_wpstg_restartBackend\Administrator.php:161

authwp_ajax_wpstg_updateBackend\Administrator.php:162

authwp_ajax_wpstg_resetBackend\Administrator.php:163

authwp_ajax_wpstg_cloningBackend\Administrator.php:164

authwp_ajax_wpstg_processingBackend\Administrator.php:165

authwp_ajax_wpstg_clone_prepare_directoriesBackend\Administrator.php:166

authwp_ajax_wpstg_clone_filesBackend\Administrator.php:167

authwp_ajax_wpstg_clone_replace_dataBackend\Administrator.php:168

authwp_ajax_wpstg_clone_finishBackend\Administrator.php:169

authwp_ajax_wpstg_cancel_cloneBackend\Administrator.php:170

authwp_ajax_wpstg_cancel_updateBackend\Administrator.php:171

authwp_ajax_wpstg_hide_ratingBackend\Administrator.php:172

authwp_ajax_wpstg_hide_laterBackend\Administrator.php:173

authwp_ajax_wpstg_hide_betaBackend\Administrator.php:174

authwp_ajax_wpstg_logsBackend\Administrator.php:175

authwp_ajax_wpstg_check_disk_spaceBackend\Administrator.php:176

authwp_ajax_wpstg_send_reportBackend\Administrator.php:177

authwp_ajax_wpstg_send_feedbackBackend\Administrator.php:178

authwp_ajax_wpstg_enable_staging_cloningBackend\Administrator.php:179

authwp_ajax_wpstg_clone_excludes_settingsBackend\Administrator.php:180

authwp_ajax_wpstg_fetch_dir_childrenBackend\Administrator.php:181

authwp_ajax_wpstg_modal_errorBackend\Administrator.php:182

authwp_ajax_wpstg_dismiss_noticeBackend\Administrator.php:183

authwp_ajax_wpstg_restore_settingsBackend\Administrator.php:184

authwp_ajax_wpstg_send_debug_log_reportBackend\Administrator.php:185

authwp_ajax_wpstg_scanBackend\Administrator.php:189

authwp_ajax_wpstg_push_tablesBackend\Administrator.php:190

authwp_ajax_wpstg_push_processingBackend\Administrator.php:191

noprivwp_ajax_wpstg_push_processingBackend\Administrator.php:192

authwp_ajax_wpstg--backups--prepare-backupBackup\BackupServiceProvider.php:82

authwp_ajax_wpstg--backups--createBackup\BackupServiceProvider.php:83

authwp_ajax_wpstg--backups--prepare-restoreBackup\BackupServiceProvider.php:85

authwp_ajax_wpstg--backups--restoreBackup\BackupServiceProvider.php:86

authwp_ajax_wpstg--backups--read-backup-metadataBackup\BackupServiceProvider.php:88

authwp_ajax_wpstg--backups--deleteBackup\BackupServiceProvider.php:89

authwp_ajax_wpstg--backups--editBackup\BackupServiceProvider.php:90

authwp_ajax_wpstg--backups--partsBackup\BackupServiceProvider.php:91

authwp_ajax_wpstg--backups--restore--file-infoBackup\BackupServiceProvider.php:92

authwp_ajax_wpstg--backups--prepare-uploadBackup\BackupServiceProvider.php:93

authwp_ajax_wpstg--backups--restore--file-uploadBackup\BackupServiceProvider.php:94

authwp_ajax_wpstg--backups--prepare-url-uploadBackup\BackupServiceProvider.php:95

authwp_ajax_wpstg--backups--url-file-uploadBackup\BackupServiceProvider.php:96

authwp_ajax_wpstg--backups--uploads-delete-unfinishedBackup\BackupServiceProvider.php:97

authwp_ajax_wpstg--backups--explore-listBackup\BackupServiceProvider.php:98

authwp_ajax_wpstg--backups--explore-treeBackup\BackupServiceProvider.php:99

authwp_ajax_wpstg--backups--explore-browseBackup\BackupServiceProvider.php:100

authwp_ajax_wpstg--backups--explore-select-directoryBackup\BackupServiceProvider.php:101

authwp_ajax_wpstg_calculate_backup_speed_indexBackup\BackupServiceProvider.php:102

authwp_ajax_wpstg--send--otpBackup\BackupServiceProvider.php:105

noprivwp_ajax_wpstg--backups--restoreBackup\BackupServiceProvider.php:108

authwp_ajax_wpstg--backups-dismiss-scheduleBackup\BackupServiceProvider.php:111

authwp_ajax_wpstg--backups-fetch-schedulesBackup\BackupServiceProvider.php:112

authwp_ajax_wpstg--backups--calculate-backup-sizeBackup\BackupServiceProvider.php:118

authwp_ajax_wpstg--backups--listingBasic\Backup\BackupServiceProvider.php:98

authwp_ajax_wpstg--backups--restore--file-listBasic\Backup\BackupServiceProvider.php:99

authwp_ajax_wpstg--job--statusBasic\BasicServiceProvider.php:31

noprivwp_ajax_wpstg--job--statusBasic\BasicServiceProvider.php:32

authwp_ajax_wpstg_clean_pro_cronsBasic\BootstrapServiceProvider.php:28

authwp_ajax_wpstg--staging-site--prepare-createBasic\Staging\StagingServiceProvider.php:37

authwp_ajax_wpstg--staging-site--createBasic\Staging\StagingServiceProvider.php:38

authwp_ajax_wpstg_job_errorFramework\AnalyticsServiceProvider.php:47

authwp_ajax_wpstg_staging_job_errorFramework\AnalyticsServiceProvider.php:70

authwp_ajax_wpstg_is_writable_clone_destination_dirFramework\CommonServiceProvider.php:41

authwp_ajax_wpstg_check_user_permissionsFramework\CommonServiceProvider.php:42

authwp_ajax_wpstg_check_user_is_authenticatedFramework\CommonServiceProvider.php:43

noprivwp_ajax_wpstg_check_user_is_authenticatedFramework\CommonServiceProvider.php:44

authwp_ajax_wpstg_backup_plugin_notice_closeFramework\CommonServiceProvider.php:45

authwp_ajax_wpstg_backup_plugin_notice_remind_meFramework\CommonServiceProvider.php:46

authwp_ajax_wpstg_cli_notice_closeFramework\CommonServiceProvider.php:47

authwp_ajax_wpstg_cli_notice_hide_foreverFramework\CommonServiceProvider.php:48

authwp_ajax_wpstg_cli_get_backup_listFramework\CommonServiceProvider.php:49

authwp_ajax_wpstg_set_dark_modeFramework\CommonServiceProvider.php:51

authwp_ajax_wpstg_set_default_os_color_modeFramework\CommonServiceProvider.php:52

authwp_ajax_wpstg_log_event_failureFramework\CommonServiceProvider.php:53

noprivwp_ajax_wpstg_log_event_failureFramework\CommonServiceProvider.php:54

authwp_ajax_wpstg--detect-memory-exhaustFramework\CommonServiceProvider.php:55

authwp_ajax_wpstg_log_event_successFramework\CommonServiceProvider.php:56

noprivwp_ajax_wpstg_log_event_successFramework\CommonServiceProvider.php:57

authwp_ajax_wpstg_send_mail_notificationFramework\CommonServiceProvider.php:58

noprivwp_ajax_wpstg_send_mail_notificationFramework\CommonServiceProvider.php:59

authwp_ajax_wpstg_dismiss_compat_noticeFramework\CommonServiceProvider.php:60

authwp_ajax_wpstg--job--heartbeatFramework\Job\JobServiceProvider.php:40

authwp_ajax_wpstg--job--prepare-cancelFramework\Job\JobServiceProvider.php:41

authwp_ajax_wpstg--job--cancelFramework\Job\JobServiceProvider.php:42

authwp_ajax_raw_wpstg--login-urlFramework\Job\JobServiceProvider.php:43

noprivwp_ajax_raw_wpstg--login-urlFramework\Job\JobServiceProvider.php:46

noprivwp_ajax_wpstg--job--heartbeatFramework\Job\JobServiceProvider.php:47

authwp_ajax_wpstg_purge_queue_tableFramework\SettingsServiceProvider.php:18

authwp_ajax_wpstg_http_auth_pingFramework\SettingsServiceProvider.php:19

noprivwp_ajax_wpstg_http_auth_pingFramework\SettingsServiceProvider.php:20

authwp_ajax_wpstg_test_http_authFramework\SettingsServiceProvider.php:21

authwp_ajax_wpstg--staging-site--prepare-deleteStaging\StagingServiceProvider.php:63

authwp_ajax_wpstg--staging-site--delete-confirmationStaging\StagingServiceProvider.php:64

authwp_ajax_wpstg--staging-site--deleteStaging\StagingServiceProvider.php:65

authwp_ajax_wpstg--staging-site--listingStaging\StagingServiceProvider.php:66

authwp_ajax_wpstg--staging-site--fix-optionStaging\StagingServiceProvider.php:67

authwp_ajax_wpstg--staging-site--report-optionStaging\StagingServiceProvider.php:68

authwp_ajax_wpstg--staging-site--setupStaging\StagingServiceProvider.php:79

authwp_ajax_wpstg--staging-site--prepare-createStaging\StagingServiceProvider.php:85

authwp_ajax_wpstg--staging-site--createStaging\StagingServiceProvider.php:86

authwp_ajax_wpstg--staging-site--prepare-updateStaging\StagingServiceProvider.php:88

authwp_ajax_wpstg--staging-site--updateStaging\StagingServiceProvider.php:89

authwp_ajax_wpstg--staging-site--prepare-resetStaging\StagingServiceProvider.php:91

authwp_ajax_wpstg--staging-site--resetStaging\StagingServiceProvider.php:92

WordPress Hooks 52

actionadmin_initBackend\Activation\Welcome.php:20

actionadmin_menuBackend\Administrator.php:143

actionnetwork_admin_menuBackend\Administrator.php:144

actionadmin_initBackend\Administrator.php:147

actionadmin_post_wpstg_download_sysinfoBackend\Administrator.php:148

actionadmin_post_wpstg_download_restorerBackend\Administrator.php:151

filteradmin_footerBackend\Administrator.php:155

filtersubmenu_fileBackend\Administrator.php:361

filteroption_active_pluginsBackend\Optimizer\wp-staging-optimizer.php:112

filtersite_option_active_sitewide_pluginsBackend\Optimizer\wp-staging-optimizer.php:146

filterstylesheet_directoryBackend\Optimizer\wp-staging-optimizer.php:183

filtertemplate_directoryBackend\Optimizer\wp-staging-optimizer.php:184

actionadmin_initBackend\Optimizer\wp-staging-optimizer.php:265

filterplugin_row_metaBackend\Pluginmeta\Pluginmeta.php:29

filterplugin_action_linksBackend\Pluginmeta\Pluginmeta.php:30

filternetwork_admin_plugin_action_linksBackend\Pluginmeta\Pluginmeta.php:31

filterautomatic_updater_disabledBackup\AfterRestore.php:55

actionwp_loginBackup\BackupServiceProvider.php:77

actionadmin_post_wpstg--backups--logsBackup\BackupServiceProvider.php:114

filtercron_schedulesCore\Cron\Cron.php:56

actioninitCore\WPStaging.php:162

actionwp_loadedCore\WPStaging.php:612

filterpre_site_option_active_sitewide_pluginsFramework\Analytics\WithAnalyticsSiteInfo.php:131

actionadmin_initFramework\AnalyticsServiceProvider.php:35

filteradmin_body_classFramework\Assets\Assets.php:368

actionadmin_enqueue_scriptsFramework\AssetServiceProvider.php:17

actionadmin_enqueue_scriptsFramework\AssetServiceProvider.php:18

actionwp_enqueue_scriptsFramework\AssetServiceProvider.php:19

actionadmin_enqueue_scriptsFramework\AssetServiceProvider.php:20

actionwp_before_admin_bar_renderFramework\AssetServiceProvider.php:21

actionshutdownFramework\BackgroundProcessing\Queue.php:242

filterdbdelta_queriesFramework\BackgroundProcessing\Queue.php:335

actionshutdownFramework\BackgroundProcessing\QueueProcessor.php:166

actionadmin_initFramework\CommonServiceProvider.php:50

actionshutdownFramework\DI\Container.php:66

actionshutdownFramework\DI\Resolver.php:40

filterrest_pre_dispatchFramework\Job\JobServiceProvider.php:34

actionrest_api_initFramework\Job\JobServiceProvider.php:35

actionadmin_noticesFramework\Notices\NoticesHandler.php:36

actionnetwork_admin_noticesFramework\Notices\NoticesHandler.php:37

actionall_admin_noticesFramework\Notices\NoticesHandler.php:38

actionin_admin_headerFramework\Notices\NoticesHandler.php:75

filteradmin_body_classFramework\Settings\DarkMode.php:100

actionadmin_initFramework\SettingsServiceProvider.php:17

actionadmin_noticesfreeBootstrap.php:18

actionplugins_loadedfreeBootstrap.php:41

actioninitFrontend\Frontend.php:78

actioninitFrontend\Frontend.php:79

actionwp_mail_failedNotifications\Transporter\EmailNotification.php:196

actionadmin_noticesopcacheBootstrap.php:94

filterwpstg.task.responseStaging\Tasks\StagingSiteUpdate\FinishStagingSiteUpdateTask.php:112

actionwpstg.admin_noticeswp-staging.php:59

Maintenance & Trust

WP STAGING – WordPress Backup, Restore & Migration Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedMar 10, 2026

PHP min version7.0

Downloads5.1M

Community Trust

Rating96/100

Number of ratings2,449

Active installs100K

Alternatives

WP STAGING – WordPress Backup, Restore & Migration Alternatives

WebToffee WP Backup and Migration

wp-migration-duplicator

Easily backup, restore, or migrate. Supports one-click backup and scheduled backup. Backup selected content to Amazon S3, Google Drive, FTP/SFTP, etc.

6K 7 CVEs