Description
The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-07-21
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (Administrator+)
Action: Update plugin
AI Analysis

Impact

The Ebook Store plugin for WordPress is vulnerable to Stored Cross‑Site Scripting because the Order Details field is not properly sanitized or escaped. If an authenticated user with administrator privileges injects malicious JavaScript into this field, the script will run in the browser whenever anyone views the affected page, allowing the attacker to deface content, steal session cookies or perform other client‑side attacks.

Affected Systems

The vulnerability affects installations of the Motovnet Ebook Store plugin version 5.8012 and earlier. It is limited to multi‑site WordPress environments where the unfiltered_html capability is disabled, meaning only administrators who can add unrestricted HTML are able to inject the payload.

Risk and Exploitability

With a CVSS score of 4.4 the risk is considered moderate. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker requires administrator credentials to inject the script; no remote code execution or privilege escalation is possible. Once injected, the malicious code will execute for every visitor who accesses the order details page, potentially compromising their sessions or facilitating phishing attacks.

Generated by OpenCVE AI on April 22, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ebook Store plugin to a version newer than 5.8012 which includes the necessary input sanitization and output escaping.
  • Ensure that the unfiltered_html capability remains disabled for all but essential administrators, or enable it only for trusted users and monitor its usage.
  • Manually review existing order details in the database and remove any injected scripts before deployment.
  • If an immediate upgrade is not feasible, limit administrative access to a small set of trusted accounts and consider disabling or restricting the order details page until the patch can be applied.

Generated by OpenCVE AI on April 22, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22267 The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Wed, 23 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 21 Jul 2025 22:45:00 +0000

Type Values Removed Values Added
Description The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Ebook Store <= 5.8012 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:19.390Z

Reserved: 2025-07-11T14:12:28.372Z

Link: CVE-2025-7486

cve-icon Vulnrichment

Updated: 2025-07-23T16:16:08.529Z

cve-icon NVD

Status : Deferred

Published: 2025-07-21T23:15:25.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses