CVE-2025-7437: 
WordPress vulnerability analysis and mitigation

CVE-2025-7437 affects the Ebook Store plugin for WordPress in all versions up to and including 5.8012. The vulnerability was discovered and reported by Wordfence on July 24, 2025. This security issue involves arbitrary file uploads due to missing file type validation in the ebookstoresave_form function (NVD).

The vulnerability stems from insufficient file type validation in the ebookstoresave_form function, which allows unauthenticated attackers to upload arbitrary files to the affected site's server. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It has been classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, which could potentially lead to remote code execution. This presents a critical security risk as it could allow attackers to take complete control of the affected website (NVD).

Website administrators running the Ebook Store plugin should update to a version newer than 5.8012 once available. Until then, it is recommended to either disable the plugin or implement additional security controls at the web application firewall level to restrict file uploads (NVD).