Description
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private or draft flipbook metadata
Action: Update Plugin
AI Analysis

Impact

The 3D FlipBook plugin for WordPress contains a missing capability check on the send_post_pages_json() function. As a result, unauthenticated users can call this endpoint and retrieve metadata about flipbook pages that are draft, private, or password‑protected. This flaw exposes confidential content without requiring any authentication or privilege escalation, leading to potential information disclosure and privacy violations.

Affected Systems

WordPress sites that have installed the "3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery" plugin from vendor iberezansky. Versions up to and including 1.16.17 are affected; any installation using these or earlier releases is vulnerable.

Risk and Exploitability

The vulnerability is scored 5.3 on CVSS, indicating moderate severity. Exploitability is likely high because the flaw relies solely on a missing authorization check and does not require any additional conditions. With limited publicly reported exploitation, the risk remains plausible for targeted attacks that can easily enumerate private flipbooks over the network.

Generated by OpenCVE AI on April 15, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the 3D FlipBook plugin to a revision newer than 1.16.17 that implements the missing capability check.
  • If an update is unavailable, modify the send_post_pages_json() function in the plugin’s code to verify the caller’s capability before returning any data.
  • Configure role‑based permissions or employ a security plugin to block unauthenticated requests to the flipbook JSON endpoint, or otherwise restrict access to private and draft flipbooks.

Generated by OpenCVE AI on April 15, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Iberezansky
Iberezansky 3d Flipbook – Pdf Embedder, Pdf Flipbook Viewer, Flipbook Image Gallery
Wordpress
Wordpress wordpress
Vendors & Products Iberezansky
Iberezansky 3d Flipbook – Pdf Embedder, Pdf Flipbook Viewer, Flipbook Image Gallery
Wordpress
Wordpress wordpress

Tue, 14 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.
Title 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Iberezansky 3d Flipbook – Pdf Embedder, Pdf Flipbook Viewer, Flipbook Image Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T16:22:29.670Z

Reserved: 2026-01-21T22:07:21.915Z

Link: CVE-2026-1314

cve-icon Vulnrichment

Updated: 2026-04-15T16:22:21.750Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:32.963

Modified: 2026-04-15T04:17:32.963

Link: CVE-2026-1314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:36Z

Weaknesses