A critical vulnerability exists in The Ebook Store plugin for WordPress, identified as CVE-2025-7437. This flaw allows an unauthenticated attacker to upload malicious files to a vulnerable website, which can lead to a complete system compromise. Successful exploitation could result in website defacement, data theft, or the server being used for further malicious activities.

The vulnerability is an Arbitrary File Upload due to missing file type validation in the ebook_store_save_form function. An attacker can craft a request to upload a file with a malicious extension (e.g., .php) disguised as a legitimate ebook file. Because the server-side code does not properly validate the file type before saving it to the server, the malicious file is stored on the system, allowing the attacker to execute arbitrary code by navigating to the file's location.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation of this flaw can have severe consequences for the business, including a complete compromise of the web server. Potential impacts include the theft of sensitive data such as customer information and payment details, intellectual property loss, website defacement, and reputational damage. An attacker could also install ransomware or use the compromised server as a platform to launch further attacks, creating significant financial and legal risks for the organization.

Immediate Action: Immediately update The Ebook Store plugin for WordPress to the latest patched version (any version after 5.8012). Before updating, create a full backup of your website. After the update, verify that the site is functioning correctly.

Proactive Monitoring: System administrators should actively monitor for signs of compromise. Review web server access logs for POST requests to endpoints associated with the ebook_store_save_form function and look for any subsequent requests to suspicious files (e.g., .php, .phtml) in the plugin's upload directories. Implement file integrity monitoring (FIM) to detect unauthorized files being added to the web server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use a Web Application Firewall (WAF) to inspect and block malicious file uploads based on file extension and content.
• Disable file execution in the WordPress uploads directory via server configuration (e.g., using an .htaccess file).
• If the plugin's functionality is not critical, disable the plugin until it can be safely patched.
• Restrict access to the WordPress administrative dashboard to trusted IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability poses an immediate and significant threat. We strongly recommend that organizations using The Ebook Store plugin prioritize applying the security update immediately. While this CVE is not yet on the CISA KEV list, its severity and the likelihood of active exploitation warrant urgent action. After patching, a thorough security audit should be conducted to search for any indicators of compromise that may have occurred prior to remediation.