CVE-2025-7437: Ebook Store WordPress Plugin RCE Flaw

CVE-2025-7437 Overview

The Ebook Store plugin for WordPress contains a critical arbitrary file upload vulnerability in the ebook_store_save_form function. Due to missing file type validation, all versions up to and including 5.8012 allow unauthenticated attackers to upload arbitrary files to the affected site's server. This vulnerability can lead to remote code execution, enabling attackers to take complete control of the compromised WordPress installation.

Critical Impact

Unauthenticated attackers can upload malicious files including PHP web shells, potentially leading to complete server compromise without any authentication required.

Affected Products

• Ebook Store plugin for WordPress versions up to and including 5.8012
• WordPress installations with vulnerable Ebook Store plugin active
• Any website running the affected plugin regardless of WordPress version

Discovery Timeline

• 2025-07-24 - CVE CVE-2025-7437 published to NVD
• 2025-07-25 - Last updated in NVD database

Technical Details for CVE-2025-7437

Vulnerability Analysis

This vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The ebook_store_save_form function in the Ebook Store plugin fails to implement proper file type validation during the file upload process. This architectural flaw allows attackers to bypass expected restrictions and upload executable files such as PHP scripts to the web server.

The vulnerability is particularly dangerous because it requires no authentication. An unauthenticated remote attacker can exploit this flaw to upload a malicious PHP file, which can then be accessed directly via a web request to execute arbitrary code on the server. This provides attackers with a reliable path to establish persistence, exfiltrate data, or pivot to other systems on the network.

Root Cause

The root cause is the absence of file type validation in the ebook_store_save_form function located in the plugin's functions.php file. The function processes file uploads without checking the file extension, MIME type, or content to ensure only safe file types (such as PDF, EPUB, or MOBI files expected for an ebook store) are accepted. This oversight allows any file type, including executable scripts, to be uploaded and stored on the server.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP request to the vulnerable form handler, including a PHP web shell or other malicious payload as the uploaded file. Once uploaded, the attacker can access the file directly through the web server to execute arbitrary commands with the privileges of the web server process.

The vulnerable function can be reviewed in the WordPress Plugin Function Code. The exploitation flow typically involves:

1. Identifying a WordPress site running the vulnerable Ebook Store plugin
2. Crafting a multipart form POST request with a malicious PHP file
3. Submitting the request to the form handler endpoint
4. Accessing the uploaded file to trigger code execution

Detection Methods for CVE-2025-7437

Indicators of Compromise

• Unexpected PHP files appearing in WordPress upload directories, particularly files with suspicious names or obfuscated content
• Web shell files such as *.php, *.phtml, or *.phar in ebook or upload folders
• Unusual outbound network connections from the web server process
• Modified timestamps on files in the plugin's upload directory
• Evidence of POST requests to Ebook Store form endpoints with non-ebook file attachments in web server logs

Detection Strategies

• Monitor web server access logs for POST requests to /wp-content/plugins/ebook-store/ endpoints containing suspicious file extensions
• Implement file integrity monitoring on WordPress upload directories to detect unauthorized file additions
• Deploy web application firewall (WAF) rules to block file uploads with executable extensions to plugin endpoints
• Use security scanning tools to identify the presence of web shells or backdoors in upload directories

Monitoring Recommendations

• Configure real-time alerting for new file creation events in WordPress content directories, especially for PHP files
• Review web server logs regularly for unusual request patterns targeting the Ebook Store plugin
• Implement endpoint detection to monitor for suspicious process spawning from web server processes
• Enable WordPress audit logging to track plugin-related activities and file system changes

How to Mitigate CVE-2025-7437

Immediate Actions Required

• Update the Ebook Store plugin to a patched version immediately by applying the WordPress Changeset Update
• If immediate patching is not possible, deactivate and remove the Ebook Store plugin until a fix can be applied
• Conduct a thorough review of upload directories for any suspicious files that may indicate prior exploitation
• Consider implementing additional server-side controls to prevent execution of uploaded files

Patch Information

The vulnerability has been addressed in a patch available through the WordPress plugin repository. The fix adds proper file type validation to the ebook_store_save_form function to ensure only legitimate ebook file formats can be uploaded. Administrators should update to the latest version of the plugin that includes this security fix. For detailed patch information, refer to the Wordfence Vulnerability Report.

Workarounds

• Deactivate the Ebook Store plugin until a patched version can be installed
• Implement web server configuration to deny execution of PHP files in the plugin's upload directories
• Deploy a web application firewall rule to block file uploads with dangerous extensions to the affected endpoint
• Restrict access to the WordPress admin and plugin directories using IP-based access controls where feasible

# Apache configuration to prevent PHP execution in upload directories
# Add to .htaccess in wp-content/plugins/ebook-store/uploads/
<FilesMatch "\.(?:php|phtml|phar|php[0-9])$">
    Require all denied
</FilesMatch>