Urgent Security Notice: Critical Vulnerability Found in Popular WordPress Backup Plugin

A critical security vulnerability has been discovered in the widely-used All-in-One WP Migration and Backup plugin—currently installed on over 5 million WordPress websites. This flaw could allow unauthenticated attackers to inject malicious PHP objects, leading to unauthorized file deletion, exposure of sensitive data, or remote code execution.

What You Need to Know

The issue stems from how the plugin handles untrusted data during the backup restoration process. Specifically, the replace_serialized_values function fails to properly validate incoming data, leaving websites vulnerable to PHP Object Injection attacks.

Although exploiting this flaw requires an admin to manually import a compromised backup file, the risk is still very high, especially for websites without active website security services or professional support.

Immediate Action Required

To protect your site, update the All-in-One WP Migration and Backup plugin to version 7.90 or higher immediately. This release addresses the vulnerability and helps safeguard your site against potential attacks.

Keeping your plugins and core files updated is a critical part of maintaining a secure WordPress environment—especially for businesses relying on their websites to drive growth.

Already Handled for Tenaya360 Clients

If you’re a Tenaya360 client, you’re already protected. We’ve proactively patched this issue through our managed website security services, which include real-time threat detection, AI-powered monitoring, and rapid-response support.

Whether you’re running a local business in the San Francisco Bay Area or managing a national brand, we provide comprehensive website design and development, ongoing website hosting, and hands-on maintenance to keep your site fast, safe, and reliable—so you can focus on growing your business.

Proactive Security Tips

To further secure your website, we recommend the following best practices:

  • Perform Routine Backups: Ensure regular, secure backups are in place for quick recovery.

  • Limit Plugin Use: Only install trusted, well-maintained plugins essential to your site’s function.

  • Monitor User Activity: Track administrative actions and limit access to verified users.

  • Stay Informed: Subscribe to WordPress security alerts to act on vulnerabilities quickly.

At Tenaya360, we specialize in helping small businesses across San Francisco and Northern California protect and grow their online presence. From custom website design and development to reliable website hosting and advanced website security services, we’ve got your back—so you never have to worry about your website again.

Contact us to learn more about our Website Care Plan and how we can help keep your site secure, up to date, and running at its best.

Jack Jorgensen founded Tenaya360 in 2016 with a clear mission: to help 10,000 small business owners gain more freedom and peace of mind by providing dedicated support for their online presence. Committed to sustainability, Tenaya360 also aims to plant 1 million trees as part of its ongoing efforts to give back to the planet.