{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7437", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-10T16:51:50.723Z", "datePublished": "2025-07-24T04:24:13.455Z", "dateUpdated": "2026-04-08T16:35:19.811Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:19.811Z"}, "affected": [{"vendor": "motovnet", "product": "Ebook Store", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.8012", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Ebook Store <= 5.8012 - Unauthenticated Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc5c05d-51b7-4aee-bb4e-366ded45c4d8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ebook-store/trunk/functions.php#L2442"}, {"url": "https://plugins.trac.wordpress.org/changeset/3328355"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-06-30T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-11T14:43:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-23T16:22:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:10:56.137001Z", "id": "CVE-2025-7437", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:36:42.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-24T13:10:56.137001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:35:03.536Z"}}], "cna": {"title": "Ebook Store <= 5.8012 - Unauthenticated Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "motovnet", "product": "Ebook Store", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.8012"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-30T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-07-11T14:43:20.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-23T16:22:34.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc5c05d-51b7-4aee-bb4e-366ded45c4d8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ebook-store/trunk/functions.php#L2442"}, {"url": "https://plugins.trac.wordpress.org/changeset/3328355"}], "descriptions": [{"lang": "en", "value": "The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-24T04:24:13.455Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7437", "state": "PUBLISHED", "dateUpdated": "2025-07-24T13:36:42.819Z", "dateReserved": "2025-07-10T16:51:50.723Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T04:24:13.455Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Ebook Store para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n ebook_store_save_form en todas las versiones hasta la 5.8012 incluida. Esto permite que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-7437", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T07:15:54.740", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ebook-store/trunk/functions.php#L2442"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3328355"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc5c05d-51b7-4aee-bb4e-366ded45c4d8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:35:17.027207+00:00", "value": {"mitigation_remediation": ["Update the Ebook Store plugin to version 5.8013 or later to apply the vendor\u2019s fix for the file\u2011type validation bug.", "Until a patch is applied, disable or delete the Ebook Store plugin from the WordPress installation, or block unauthenticated file uploads with .htaccess or a web\u2011application firewall.", "Configure the web server or the plugin to allow only whitelisted MIME types for file uploads and ensure that any uploaded files are stored in a non\u2011executable directory."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the Ebook Store plugin by motovnet with versions up to and including 5.8012 are affected. The vulnerability resides in the ebook_store_save_form function and any WordPress site that has not applied a newer version is at risk. The plugin is typically used by e\u2011book retail or distribution sites.", "description_and_impact": "The Ebook Store plugin for WordPress permits unauthenticated users to upload arbitrary files because it lacks file type validation, allowing an attacker to upload a malicious script that may be executed on the server. This flaw is a classic instance of unrestricted file upload (CWE\u2011434) and gives the attacker the ability to run code with the privileges of the web server process.", "risk_and_exploitability": "The vulnerability scores a CVSS of 9.8, indicating critical severity. The EPSS score is less than 1\u202f%, showing a very low but non\u2011zero exploitation probability, and it is not listed in the CISA KEV catalog. The attack vector is inferred as a web\u2011application path; an unauthenticated user can issue an HTTP request to the plugin\u2019s upload endpoint and supply any file type. Because no validation occurs, malicious executable files can reach the server\u2019s document root, after which they can be accessed or executed, leading to remote code execution."}}}}, "created": "2025-07-24T21:26:44.333524+00:00", "updated": "2026-04-22T14:45:19.280987+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}