Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlippingBook FlippingBook flippingbook allows DOM-Based XSS.This issue affects FlippingBook: from n/a through <= 2.0.1.
Published: 2025-12-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlippingBook’s WordPress plugin contains a DOM‑based XSS flaw caused by improper neutralization of user input during page generation. An attacker can supply malicious data that is rendered directly into the plugin’s output, allowing the execution of arbitrary JavaScript within the context of a site visitor’s browser. Based on the description, it is inferred that this could enable theft of session cookies, defacement of the site, or delivery of phishing payloads.

Affected Systems

All installations of the FlippingBook WordPress plugin with a version of 2.0.1 or earlier are affected. The flaw applies to the plugin bundle across all supported WordPress environments, regardless of hosting or server platform.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the moderate severity range, and the EPSS score of less than 1% indicates a low current probability of exploitation in the wild. The vendor has not listed the flaw in CISA’s KEV catalog. Exploitation is likely to occur through crafted URLs or input fields that the plugin fails to sanitize, and does not require privileged access to the site server. The attack vector is inferred as web‑based injection targeting end‑user browsers.

Generated by OpenCVE AI on April 29, 2026 at 12:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FlippingBook WordPress plugin to version 2.0.2 or newer, which contains the required input sanitization fix
  • If an update is not immediately possible, consider disabling the plugin or removing it entirely from the site
  • Apply a content‑security policy that restricts executable script sources to trusted origins, thereby limiting the impact of any remaining injection vectors

Generated by OpenCVE AI on April 29, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Flippingbook
Flippingbook flippingbook
Wordpress
Wordpress wordpress
Vendors & Products Flippingbook
Flippingbook flippingbook
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlippingBook FlippingBook flippingbook allows DOM-Based XSS.This issue affects FlippingBook: from n/a through <= 2.0.1.
Title WordPress FlippingBook plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Flippingbook Flippingbook
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:33:17.764Z

Reserved: 2025-12-29T11:18:30.572Z

Link: CVE-2025-69019

cve-icon Vulnrichment

Updated: 2025-12-30T14:22:56.307Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:00.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses