CVE-2026-1314 Scanner

The WordPress 3D FlipBook - PDF Flipbook Viewer, Flipbook Image Gallery is widely used in the web development and content management realm, particularly within WordPress websites. This plugin allows users to create engaging and interactive 3D flipbooks, integrating PDF viewing and image galleries, making it a popular choice for creatives and businesses to display content dynamically. Its user-friendly interface attracts non-technical users as well as web developers seeking to enhance visual storytelling on their sites. The plugin's widespread use makes it a critical component for many online businesses and personal websites, particularly those communicating complex information or large content collections. Many educational, artistic, and commercial sites leverage this plugin for the enhanced presentation of e-brochures, catalogues, and books. These functionalities make the plugin essential for users desiring increased audience engagement and enhanced content interaction.

The Information Disclosure vulnerability detected in this plugin allows unauthenticated attackers to access sensitive flipbook metadata including full metadata, PDF URLs, and configuration data of private flipbook posts. The vulnerability arises due to several AJAX endpoints failing to verify the post status of the requested entries, thus exposing confidential information. Exploiting this vulnerability could lead to unauthorized access to metadata and URLs of private and secure flipbooks, compromising the privacy and integrity of user data. This vulnerability also indicates a violation of data access policies, potentially undermining the secure frameworks based on authorization checks. The broad permissions granted by this flaw allow an unauthorized, public exposure of sensitive user data contained within the plugin. Addressing this vulnerability is crucial to protect sensitive information from misuse and unauthorized disclosure.

The vulnerability is specifically located in the AJAX endpoints of the plugin, namely fb3d_send_posts_in, fb3d_send_post_pages, fb3d_send_posts_in_pages, fb3d_send_posts_in_first_page, and fb3d_send_post_first_page handlers. These handlers are registered with wp_ajax_nopriv hooks, which allow them to be accessed without login credentials. The endpoints lack proper verification for the requested flipbook entries' post status, directly leading to the Information Disclosure issue. Attackers can exploit these endpoints to retrieve sensitive and potentially confidential information, bypassing intended protections. As the endpoint handlers can be accessed freely, they overlook the critical authorization checks needed to protect user data from unauthorized retrieval. This vulnerability exposes critical entry points that demand enhanced scrutiny and adjustment to prevent leaks or exploitation.

Potential exploitation of this vulnerability can lead to unauthorized access to sensitive data contained within the flipbook plugin, significantly impacting users' privacy and data security. Attackers could use exposed information for various malicious purposes, including data theft, unauthorized data manipulation, or phishing. The unintended release of confidential flipbook data could weaken the credibility and trust in the websites using the plugin, resulting in possible brand damage or loss of user confidence. The vulnerability potentially allows exposure of secure or private communications and documents, leading to further data breach risks. Additionally, unauthorized data access might result in regulatory non-compliance, further affecting organizations' financial and reputational standing.

REFERENCES

• https://patchstack.com/database/wordpress/plugin/interactive-3d-flipbook-powered-physics-engine/vulnerability/wordpress-3d-flipbook-pdf-embedder-pdf-flipbook-viewer-flipbook-image-gallery-plugin-1-16-17-missing-authorization-to-unauthenticated-private-draft-flipbook-data-exposure-vulnerability
• https://nvd.nist.gov/vuln/detail/CVE-2026-1314