Impact
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress contains a missing capability check (CWE-862) on the send_post_pages_json() function. As a result, unauthenticated users can call this endpoint and retrieve metadata about flipbook pages that are draft, private, or password‑protected. This flaw exposes confidential content without requiring any authentication or privilege escalation, leading to potential information disclosure and privacy violations.
Affected Systems
WordPress sites that have installed the 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin from vendor iberezansky. Versions up to and including 1.16.17 are affected; any installation using these or earlier releases is vulnerable.
Risk and Exploitability
The vulnerability is scored 5.3 on CVSS, indicating low severity. An EPSS score of <1% suggests a very low probability of exploitation. Exploitability is likely high because the flaw relies solely on a missing authorization check and does not require any additional conditions. The CVE is not listed in the CISA KEV catalog, indicating that there are no known publicly exploited versions or widespread exploitation at this time. With limited publicly reported exploitation, the risk remains plausible for targeted attacks that can easily enumerate private flipbooks over the network.
OpenCVE Enrichment