CVE-2025-7486 identifies a stored cross-site scripting (XSS) vulnerability in the motovnet Ebook Store plugin for WordPress, affecting all versions up to and including 5.8012. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically insufficient input sanitization and output escaping in the Order Details field. An authenticated attacker with administrator-level privileges on a multi-site WordPress installation, where the unfiltered_html capability is disabled, can inject arbitrary JavaScript code into order detail pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not require user interaction beyond page access but does require high privileges, limiting exploitation to trusted insiders or compromised admin accounts. The CVSS v3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact without availability impact. No public exploits have been reported yet, but the vulnerability poses a risk in environments with multi-site WordPress setups using this plugin. Due to the nature of stored XSS, the attack surface includes any user accessing the infected order detail pages, potentially affecting multiple users across the network. The vulnerability is specific to multi-site installations and those with unfiltered_html disabled, narrowing the affected population but still significant given WordPress’s widespread use.

The primary impact of CVE-2025-7486 is the potential compromise of confidentiality and integrity within affected WordPress multi-site environments using the motovnet Ebook Store plugin. Successful exploitation allows an attacker with admin privileges to inject malicious scripts that execute in the browsers of other users viewing the infected order detail pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential lateral movement within the WordPress network. Although availability is not directly impacted, the breach of trust and data integrity can cause reputational damage and operational disruptions. The requirement for administrator-level access limits the threat to insiders or attackers who have already compromised an admin account, reducing the likelihood of widespread exploitation. However, in large multi-site WordPress deployments, the scope of affected users can be substantial. Organizations relying on this plugin for e-commerce functionality may face data leakage, unauthorized transactions, or further compromise if the vulnerability is exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-7486, organizations should: 1) Immediately update the motovnet Ebook Store plugin to a patched version once available; if no patch exists yet, consider disabling or removing the plugin in multi-site environments. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. 3) Review and harden WordPress multi-site configurations, particularly the unfiltered_html capability settings, to minimize exposure. 4) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Conduct regular security audits and code reviews of plugins, especially those handling user input and order data. 6) Monitor logs and user activity for suspicious behavior indicative of attempted XSS exploitation. 7) Educate administrators about the risks of stored XSS and the importance of sanitizing input fields. 8) Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the affected plugin. These steps go beyond generic advice by focusing on configuration hardening, access control, and layered defenses specific to multi-site WordPress environments.