Does XServer Migrator have any unpatched vulnerabilities?

No. All known vulnerabilities in XServer Migrator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is XServer Migrator compatible with WordPress 6.7.5?

According to WordPress.org data, XServer Migrator 1.6.6 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is XServer Migrator updated?

XServer Migrator was last updated on Jan 9, 2025. Frequent updates are generally a positive security signal.

What is XServer Migrator's security score?

XServer Migrator has a WP-Safety security score of 90/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

XServer Migrator Security & Risk Analysis

wordpress.org/plugins/xserver-migrator

エックスサーバー株式会社が提供するレンタルサーバーサービスで「WordPress簡単移行機能」をご利用いただくためのプラグインです。

10K active installs v1.6.6 PHP + WP 4.2.29+ Updated Jan 9, 2025

xserver

A · Safe

CVEs total1

Unpatched0

Last CVEApr 29, 2024

Plugin page Download

Safety Verdict

Is XServer Migrator Safe to Use in 2026?

Generally Safe

Score 90/100

XServer Migrator has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 29, 2024Updated 1yr ago

Risk Assessment

The xserver-migrator plugin v1.6.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by having a completely protected attack surface with all AJAX handlers and no exposed REST API routes or shortcodes. The output escaping is also excellent at 90%. However, several concerning aspects warrant attention. The presence of 22 dangerous function calls, specifically 'exec', is a significant red flag, indicating a potential for arbitrary code execution if not handled with extreme care and rigorous input validation. While taint analysis did not reveal critical or high severity issues in this specific scan, the fact that all 4 analyzed flows had unsanitized paths is concerning and suggests potential vulnerabilities that might be subtle or not fully captured by the current analysis.

The plugin's vulnerability history shows a single high-severity CVE in the past, identified as Cross-Site Request Forgery (CSRF). While this CVE is currently patched, the existence of a past high-severity vulnerability, even if resolved, indicates a history of security weaknesses. The pattern of past vulnerabilities, though limited in number, combined with the static analysis findings of 'exec' usage and unsanitized paths, suggests a need for continued vigilance and thorough security auditing. Overall, while the current version has a secure entry point exposure and good output sanitization, the deep-seated use of dangerous functions and the concerning taint analysis results point to underlying risks that could be exploited if inputs are not meticulously validated and handled.

Key Concerns

Dangerous function 'exec' usage detected
All taint flows had unsanitized paths
Past high severity vulnerability (CSRF)
SQL queries not always using prepared statements

Vulnerabilities

XServer Migrator Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2024-33913high · 8.8Cross-Site Request Forgery (CSRF)

Xserver Migrator <= 1.6.2 - Cross-Site Request Forgery to Arbitrary File Upload

Apr 29, 2024 Patched in 1.6.2.1 (24d)

Code Analysis

Analyzed Mar 16, 2026

XServer Migrator Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

execexec( $command, $output, $return_var );packages\archiver\class-xserver-migrator-archiver.php:127

execexec( $command, $output, $return_var );packages\archiver\class-xserver-migrator-archiver.php:145

execexec( 'pwd', $output, $return_var );packages\class-xserver-migrator-server.php:100

execexec( 'which zip', $output, $return_var );packages\class-xserver-migrator-server.php:111

execexec( 'type zip', $output, $return_var );packages\class-xserver-migrator-server.php:116

execexec( 'which zipinfo', $output, $return_var );packages\class-xserver-migrator-server.php:127

execexec( 'which tar', $output, $return_var );packages\class-xserver-migrator-server.php:138

execexec( 'type tar', $output, $return_var );packages\class-xserver-migrator-server.php:143

execexec( 'which mysqldump', $output, $return_var );packages\class-xserver-migrator-server.php:154

execexec( 'type mysqldump', $output, $return_var );packages\class-xserver-migrator-server.php:159

execexec( 'which find && which wc', $output, $return_var );packages\class-xserver-migrator-server.php:180

execexec( $command, $output, $return_var );packages\database\class-xserver-migrator-database-mysqldump-dumper.php:41

execexec( 'which mysqldump', $output, $status );packages\database\class-xserver-migrator-database-mysqldump-dumper.php:66

execexec( 'type mysqldump', $output, $status );packages\database\class-xserver-migrator-database-mysqldump-dumper.php:71

execexec( "sed -i '' -e '/^\/\*!50013 DEFINER=/d' " . $this->dump_file_path, $output, $status );packages\database\class-xserver-migrator-database-mysqldump-dumper.php:85

execexec( "sed -i -e '/^\/\*!50013 DEFINER=/d' " . $this->dump_file_path, $output, $status );packages\database\class-xserver-migrator-database-mysqldump-dumper.php:87

execexec( "sed -i '' -r 's/\/\*\!50020 DEFINER=`.*`@`localhost`\*\/ //g' " . $this->dump_file_path, $outpackages\database\class-xserver-migrator-database-mysqldump-dumper.php:95

execexec( "sed -i -E 's/\/\*\!50020 DEFINER=`.*`@`localhost`\*\/ //g' " . $this->dump_file_path, $outputpackages\database\class-xserver-migrator-database-mysqldump-dumper.php:97

execexec( "sed -i '' -r 's/CREATE DEFINER=.+ (FUNCTION|PROCEDURE)/CREATE \\1/g' " . $this->dump_file_patpackages\database\class-xserver-migrator-database-mysqldump-dumper.php:105

execexec( "sed -i -E 's/CREATE DEFINER=.+\s(FUNCTION|PROCEDURE)/CREATE \\1/g' " . $this->dump_file_path,packages\database\class-xserver-migrator-database-mysqldump-dumper.php:107

execexec( "sed -i '' -e '/^\/\*.*\\\- enable the sandbox mode/d' " . $this->dump_file_path, $output, $stpackages\database\class-xserver-migrator-database-mysqldump-dumper.php:116

execexec( "sed -i -e '/^\/\*.*\\\- enable the sandbox mode/d' " . $this->dump_file_path, $output, $statupackages\database\class-xserver-migrator-database-mysqldump-dumper.php:118

SQL Query Safety

35% prepared17 total queries

Output Escaping

90% escaped10 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths

add_admin_head (packages\class-xserver-migrator-admin.php:23)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

XServer Migrator Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 6

authwp_ajax_xserver_migrator_executepackages\class-xserver-migrator.php:128

authwp_ajax_xserver_migrator_get_versions_and_db_sizepackages\class-xserver-migrator.php:129

authwp_ajax_xserver_migrator_get_available_archive_methodspackages\class-xserver-migrator.php:130

authwp_ajax_xserver_migrator_create_challenge_tokenpackages\class-xserver-migrator.php:131

authwp_ajax_xserver_migrator_delete_challenge_tokenpackages\class-xserver-migrator.php:132

authwp_ajax_xserver_migrator_get_table_prefixpackages\class-xserver-migrator.php:133

WordPress Hooks 3

actionadmin_menupackages\class-xserver-migrator-admin.php:16

actionadmin_headpackages\class-xserver-migrator-admin.php:17

actionplugins_loadedxserver-migrator.php:62

Maintenance & Trust

XServer Migrator Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJan 9, 2025

PHP min version

Downloads199K

Community Trust

Rating0/100

Number of ratings0

Active installs10K

Alternatives

XServer Migrator Alternatives

No alternatives data available yet.

Developer Profile

XServer Migrator Developer Profile

XServer

2 plugins · 110K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

16 days

View full developer profile

Detection Fingerprints

How We Detect XServer Migrator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/xserver-migrator/packages/css/xserver-migrator-admin.css/wp-content/plugins/xserver-migrator/packages/js/xserver-migrator-admin.js

Script Paths

/wp-content/plugins/xserver-migrator/packages/js/xserver-migrator-admin.js

Version Parameters

xserver-migrator/packages/css/xserver-migrator-admin.css?ver=xserver-migrator/packages/js/xserver-migrator-admin.js?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

name="xserver-migrator-nonce"content="

JS Globals

window.xserver_migrator_nonce

FAQ