The motovnet Ebook Store plugin for WordPress suffers from a critical vulnerability identified as CVE-2025-7437, categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability arises from the ebook_store_save_form function, which lacks proper validation of uploaded file types. This flaw allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, directly to the server hosting the WordPress site. Since the plugin does not restrict file types or enforce authentication before upload, attackers can exploit this to upload web shells or other executable code, leading to remote code execution (RCE). The vulnerability affects all versions up to and including 5.8012. The CVSS 3.1 base score of 9.8 reflects the critical nature of this issue, with an attack vector over the network, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable. This flaw can compromise the entire web server, allowing attackers to take control, steal data, deface websites, or pivot to internal networks. The absence of patches at the time of publication increases the urgency for mitigation. The vulnerability is particularly dangerous in WordPress environments where the Ebook Store plugin is used for e-commerce or digital content delivery, as attackers could manipulate transactions or customer data.

The impact of CVE-2025-7437 is severe and wide-ranging. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server. This compromises the confidentiality of sensitive data stored on the server, including customer information and payment details. Integrity is affected as attackers can modify website content, inject malicious code, or alter transaction records. Availability may be disrupted by attackers deploying ransomware, deleting files, or causing denial-of-service conditions. Organizations relying on the Ebook Store plugin for digital sales or content distribution face risks of financial loss, reputational damage, and regulatory penalties due to data breaches. The vulnerability can also serve as a foothold for lateral movement within corporate networks, escalating the threat beyond the web server. Given the plugin’s integration with WordPress, a widely used CMS, the scope of affected systems is substantial, increasing the potential scale of attacks globally.

Immediate mitigation should focus on restricting file uploads and validating file types at the application and server levels. Organizations should: 1) Disable or remove the Ebook Store plugin until a patch is available. 2) Implement web application firewall (WAF) rules to detect and block suspicious file uploads targeting the vulnerable endpoint. 3) Restrict upload directories with strict permissions and disable execution rights on upload folders to prevent execution of uploaded files. 4) Employ server-side file type validation and scanning using antivirus or malware detection tools. 5) Monitor logs for unusual upload activity or access patterns related to the ebook_store_save_form function. 6) Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patching. 7) Conduct regular security audits and penetration testing focusing on file upload functionalities. 8) Use Content Security Policy (CSP) headers to limit the impact of potential script injections. These steps go beyond generic advice by focusing on layered defenses and proactive monitoring tailored to this vulnerability’s exploitation vector.