Description
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.
Published: 2025-06-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Cross‑Site Scripting via style and mode parameters
Action: Apply Patch
AI Analysis

Impact

The 3D FlipBook plugin for WordPress allows an attacker with Contributor or higher access to inject arbitrary JavaScript by abusing the style and mode parameters when adding or editing a block. The input is not sanitized or escaped, so the payload is stored in the page content and executed each time a user opens the affected page, enabling an attacker to deface the site, steal credentials, or deliver malware.

Affected Systems

WordPress sites that have installed versions of the 3D FlipBook – PDF Embedder, PDF Flipbook Viewer or Flipbook Image Gallery plugin equal to or older than 1.16.15 and that use block‑based themes.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity. The EPSS score of less than 1 % suggests a low probability of public exploitation, and it is not listed in the CISA KEV catalog. Attackers must authenticate with a role that can modify blocks; once the malicious payload is stored, any visitor to the page will trigger the script. Because only block‑based themes are affected, the opportunity to exploit is limited to sites using the newer Gutenberg editor.

Generated by OpenCVE AI on April 21, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 3D FlipBook plugin to the latest version that fixes the XSS bug.
  • If an upgrade is unavailable or delayed, deactivate or uninstall the plugin to eliminate the injection surface.
  • Restrict Contributor level access to block editing or remove the ability to insert custom style and mode parameters via the UI.

Generated by OpenCVE AI on April 21, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18874 The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.
History

Wed, 09 Jul 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared 3dflipbook
3dflipbook 3d Flipbook
CPEs cpe:2.3:a:3dflipbook:3d_flipbook:*:*:*:*:*:wordpress:*:*
Vendors & Products 3dflipbook
3dflipbook 3d Flipbook

Mon, 23 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Jun 2025 11:15:00 +0000

Type Values Removed Values Added
Description The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.
Title 3D FlipBook - Lite Edition <= 1.16.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via style and mode Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

3dflipbook 3d Flipbook
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:48.697Z

Reserved: 2025-05-27T20:50:24.544Z

Link: CVE-2025-5289

cve-icon Vulnrichment

Updated: 2025-06-23T15:03:48.462Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-21T11:15:35.240

Modified: 2025-07-09T19:22:16.377

Link: CVE-2025-5289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')