WP-Safety

Ebook Store Security & Risk Analysis

wordpress.org/plugins/ebook-store

Stylish and modern ebook seller plugin, with 3D book preview, optional preview file for each book, automated email delivery and order processing.

900 active installs v5.93 PHP + WP 3.5.1+ Updated Dec 5, 2025
digital-downloadsebookpaypalpdfstripe
91
A · Safe
CVEs total13
Unpatched0
Last CVEJul 30, 2025
Plugin page Download
Safety Verdict

Is Ebook Store Safe to Use in 2026?

Generally Safe

Score 91/100

Ebook Store has a strong security track record. Known vulnerabilities have been patched promptly.

13 known CVEsLast CVE: Jul 30, 2025Updated 3mo ago
Risk Assessment

The "ebook-store" plugin v5.93 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and including a reasonable number of nonce and capability checks, several significant concerns remain. The presence of the `unserialize` function is a notable risk, as it can lead to Remote Code Execution if insecurely handled data is processed. Furthermore, 50% of output escaping is a substantial weakness, potentially opening the door to Cross-Site Scripting (XSS) vulnerabilities. The single unprotected REST API route is also a direct entry point for unauthenticated attacks.

The historical vulnerability data is alarming, with a total of 13 known CVEs, including one critical and twelve medium severity issues. The common vulnerability types like CSRF, unrestricted file uploads, XSS, information exposure, and missing authorization strongly suggest recurring weaknesses in input validation, authorization logic, and output sanitization. Although there are currently no unpatched CVEs, the frequency and nature of past vulnerabilities indicate a pattern of insecure development practices that could easily resurface.

In conclusion, while the plugin has some strengths, particularly in its handling of SQL queries, the significant number of historical vulnerabilities, the presence of dangerous functions like `unserialize`, substantial unescaped output, and an unprotected REST API route create a high-risk profile. Users should exercise extreme caution and ensure prompt patching if any new vulnerabilities are disclosed, given the plugin's past.

Key Concerns

  • 1 unprotected REST API route
  • 50% of output escaping
  • 3 dangerous functions (unserialize)
  • 13 total known CVEs (1 critical, 12 medium)
  • Bundled libraries (TCPDF, Stripe PHP - potential for outdated versions)
Vulnerabilities
13

Ebook Store Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
4 CVEs in 2024
2024
6 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
12

13 total CVEs

CVE-2025-54702medium · 4.3Cross-Site Request Forgery (CSRF)

Ebook Store <= 5.8013 - Cross-Site Request Forgery

Jul 30, 2025 Patched in 5.8014 (6d)
CVE-2025-8113medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8014 - Reflected Cross-Site Scripting

Jul 26, 2025 Patched in 5.8015 (31d)
CVE-2025-7437critical · 9.8Unrestricted Upload of File with Dangerous Type

Ebook Store <= 5.8012 - Unauthenticated Arbitrary File Upload

Jul 23, 2025 Patched in 5.8013 (1d)
CVE-2025-7486medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8012 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details

Jul 21, 2025 Patched in 5.8013 (1d)
CVE-2025-49862medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8008 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 12, 2025 Patched in 5.8009 (6d)
CVE-2025-47589medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8009 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 5.8010 (50d)
CVE-2024-11287medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8001 - Reflected Cross-Site Scripting

Dec 20, 2024 Patched in 5.8002 (89d)
CVE-2024-12262medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8001 - Reflected Cross-Site Scripting via 'step'

Dec 20, 2024 Patched in 5.8002 (89d)
CVE-2024-6567medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Ebook Store <= 5.8001 - Unauthenticated Full Path Disclosure

Aug 1, 2024 Patched in 5.8002 (230d)
CVE-2024-23501medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8001 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 1, 2024 Patched in 5.8002 (25d)
CVE-2023-45602medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store <= 5.8009 - Reflected Cross-Site Scripting

Oct 9, 2023 Patched in 5.8010 (626d)
CVE-2023-22690medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ebook Store < 5.78 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 19, 2023 Patched in 5.78 (279d)
CVE-2023-22701medium · 6.5Missing Authorization

Ebook Store <= 5.775 - Missing Authorization via ebook_store_export_orders

Apr 19, 2023 Patched in 5.78 (279d)
Code Analysis
Analyzed Mar 16, 2026

Ebook Store Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
0 prepared
Unescaped Output
279
281 escaped
Nonce Checks
6
Capability Checks
7
File Operations
102
External Requests
4
Bundled Libraries
2

Dangerous Functions Found

unserialize$file = unserialize($this->meta['ebook_wp_custom_attachment'][0]);EbookStoreEbook.class.php:25
unserialize$file = unserialize($this->meta['ebook_wp_custom_attachment_' . $format][0]);EbookStoreEbook.class.php:37
unserialize$book = unserialize($meta['ebook_wp_custom_attachment_' . $l][0]);functions.php:3236

Bundled Libraries

TCPDFStripe PHP

Output Escaping

50% escaped560 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

12 flows7 with unsanitized paths
ebook_store_check_ipn (ebook_store.php:127)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Ebook Store Attack Surface

Entry Points9
Unprotected1

REST API Routes 1

POST/wp-json/ebook-store/v1/stripe-webhookfunctions.php:4850

Shortcodes 8

[ebook_store] ebook_store.php:289
[ebook_store_buy] ebook_store.php:290
[ebook_thank_you] ebook_store.php:292
[ebook_store_row] ebook_store.php:407
[ebook_store_downloads] ebook_store.php:409
[ebook_store_wpforms] ebook_store.php:411
[vc_infobox] functions.php:4162
[ebook_store_graduation_form] modules\mvp.php:117
WordPress Hooks 79
actionadmin_menuebook_options.php:4
actionadmin_initebook_options.php:14
actionelementor/widgets/registerebook_store.php:55
actionelementor/elements/categories_registeredebook_store.php:56
actionadmin_noticesebook_store.php:59
actionplugins_loadedebook_store.php:64
actionplugins_loadedebook_store.php:103
actioninitebook_store.php:122
actioninitebook_store.php:123
actioninitebook_store.php:124
actioninitebook_store.php:236
actioninitebook_store.php:240
actionwp_loadedebook_store.php:254
actioninitebook_store.php:255
actioninitebook_store.php:260
actioninitebook_store.php:262
actioninitebook_store.php:264
actioninitebook_store.php:266
actionmanage_posts_custom_columnebook_store.php:271
actionadd_meta_boxesebook_store.php:275
actionpost_edit_form_tagebook_store.php:276
actionsave_postebook_store.php:279
actionsave_postebook_store.php:281
filterthe_contentebook_store.php:285
filterenter_title_hereebook_store.php:286
filterenter_title_hereebook_store.php:287
filtermanage_edit-ebook_order_columnsebook_store.php:288
actioninitebook_store.php:295
actionadmin_noticesebook_store.php:298
actionadmin_noticesebook_store.php:303
actionadmin_noticesebook_store.php:306
actioninitebook_store.php:313
filterpost_updated_messagesebook_store.php:317
actionadmin_head-post-new.phpebook_store.php:318
actionadmin_head-post.phpebook_store.php:319
filtermanage_edit-ebook_columnsebook_store.php:320
actionmanage_ebook_posts_custom_columnebook_store.php:321
filterupload_mimesebook_store.php:322
actionadmin_menuebook_store.php:323
filterebook_store_payment_gateway_parametersebook_store.php:335
actionebook_store_payment_completedebook_store.php:336
actioninitebook_store.php:341
actioninitebook_store.php:342
actionwoocommerce_process_product_meta_ebookstoreebook_store.php:350
actionwoocommerce_process_product_metaebook_store.php:351
actionwoocommerce_order_details_after_order_tableebook_store.php:354
filterwoocommerce_order_status_completedebook_store.php:357
filterwoocommerce_order_status_pendingebook_store.php:358
filterwoocommerce_order_status_processingebook_store.php:359
filterwoocommerce_order_status_on-holdebook_store.php:360
filterwoocommerce_order_status_cancelledebook_store.php:361
filterquery_varsebook_store.php:365
actionwoocommerce_product_data_panelsebook_store.php:366
actionvc_before_initebook_store.php:372
actionebook_store_file_formats_formebook_store.php:377
actioninitebook_store.php:378
filterwoocommerce_product_data_tabsebook_store.php:381
actionadmin_footerebook_store.php:383
actionwp_enqueue_scriptsebook_store.php:386
filterupload_mimesebook_store.php:421
filterupload_dirfunctions.php:1138
filterupload_dirfunctions.php:1248
actionwp_footerfunctions.php:1435
filterwp_mail_content_typefunctions.php:2690
actionadmin_post_ebook_store_test_encryptionfunctions.php:3044
actionadmin_post_nopriv_ebook_store_test_encryptionfunctions.php:3045
actioninitfunctions.php:3579
filterproduct_type_selectorfunctions.php:3704
actioninitfunctions.php:4161
actionwoocommerce_after_account_downloadsfunctions.php:4656
actionadmin_post_ebook_store_test_encryptionfunctions.php:4707
actionadmin_post_nopriv_ebook_store_test_encryptionfunctions.php:4708
actionrest_api_initfunctions.php:4847
actioninitmodules\mvp.php:3
actionsave_postmodules\mvp.php:4
actionebook_store_extend_optionsmodules\mvp.php:5
actionebook_settings_page_extendmodules\mvp.php:6
filterebook_store_form_extendmodules\mvp.php:45
actioninitmodules\mvp.php:224
Maintenance & Trust

Ebook Store Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 5, 2025
PHP min version
Downloads144K

Community Trust

Rating88/100
Number of ratings59
Active installs900
Alternatives

Ebook Store Alternatives

Contact Form 7 – PayPal & Stripe Add-on

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

A
96

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs
Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

print-my-blog

A
89

Make printing your blog easy and impressive. For you & your visitors. One post or thousands.

8K 6 CVEs
Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

better-payment

A
100

Better Payment allows you to automate payment transactions to manage payments, donations, subscriptions, sell products, etc on your Elementor website.

6K No CVEs
Payment forms, Buy now buttons, and Invoicing System | GetPaid

Payment forms, Buy now buttons, and Invoicing System | GetPaid

invoicing

A
99

Payments & Invoicing plugin for WordPress to quickly and easily sell online. Create Buy Now buttons or inline checkout forms in seconds to accept &hellip;

5K 2 CVEs
PDF Ink Lite – PDF Watermark & Password Protection

PDF Ink Lite – PDF Watermark & Password Protection

waterwoo-pdf

A
100

The original WordPress PDF Watermark & password plugin (fka WaterWoo) Automatically 'tattoo' & protect PDFs for WooCommerce, EDD, an &hellip;

2K No CVEs
Developer Profile

Ebook Store Developer Profile

motov.net

2 plugins · 910 total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
132 days
View full developer profile
Detection Fingerprints

How We Detect Ebook Store

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ebook-store/css/jquery-ui.css/wp-content/plugins/ebook-store/css/bootstrap.min.css/wp-content/plugins/ebook-store/css/ebook-store.css/wp-content/plugins/ebook-store/js/ebook-store.js/wp-content/plugins/ebook-store/js/ebook-store-admin.js/wp-content/plugins/ebook-store/js/pdfmake.min.js/wp-content/plugins/ebook-store/js/vfs_fonts.js
Script Paths
/wp-content/plugins/ebook-store/js/ebook-store.js/wp-content/plugins/ebook-store/js/ebook-store-admin.js/wp-content/plugins/ebook-store/js/pdfmake.min.js/wp-content/plugins/ebook-store/js/vfs_fonts.js
Version Parameters
ebook-store/css/jquery-ui.css?ver=ebook-store/css/bootstrap.min.css?ver=ebook-store/css/ebook-store.css?ver=ebook-store/js/ebook-store.js?ver=ebook-store/js/ebook-store-admin.js?ver=ebook-store/js/pdfmake.min.js?ver=ebook-store/js/vfs_fonts.js?ver=

HTML / DOM Fingerprints

CSS Classes
ebook-store-formebook-store-buy-buttonebook-store-donation-formebook-store-download-link
HTML Comments
<!-- Ebook Store End --><!-- Ebook Store Start --><!-- Ebook Store IPN Listener -->
Data Attributes
data-ebook-iddata-noncedata-pricedata-currencydata-actiondata-method+1 more
JS Globals
ebook_store_ajax_urlebook_store_paramsebook_store_nonceebook_store_settings
REST Endpoints
/wp-json/ebook-store/v1/get-form/wp-json/ebook-store/v1/process-payment
Shortcode Output
[ebook_store_buy_button][ebook_store_donation_form][ebook_store_download_link]
FAQ

Frequently Asked Questions about Ebook Store