Once activated, new features appear in the migration interface:
| Risk | Severity | Mitigation |
|------|----------|-------------|
| Exposure of internal naming convention | Low | Not a direct vulnerability. |
| Leftover temp ZIP file (if exists) | Medium | Scan /wp-content/uploads/ and /tmp/ for orphaned ZIPs. |
| Attempted path traversal or LFI | High (if user-controlled) | Validate any input that includes this string; treat as suspicious. | wpmigratedbproaddonszip
⚠️ If this string appears in a URL parameter (
?file=wpmigratedbproaddonszip), block the request. It may be a fuzzing attempt targeting backup or add-on files. Once activated, new features appear in the migration
WordPress stores data in the database using PHP serialization. When a URL changes (e.g., changing from site.com to localhost/site), simple text replacement breaks serialized data strings because the character count changes. ⚠️ If this string appears in a URL parameter (
Certain plugins (like Advanced Custom Fields, WooCommerce, or complex page builders) store data in complex custom tables.
Click on the Addons tab within the plugin interface. You will see a list of available addons (Media Files, CLI, etc.) with "Install" buttons next to them.