Stored Cross-Site Scripting in 3D FlipBook Plugin for WordPress
CVE-2023-6776

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: 3D FlipBook – PDF Flipbook WordPress
Vendor: CVE Published:; 11 January 2024

Summary

The 3D FlipBook plugin for WordPress has a vulnerability that allows stored cross-site scripting (XSS) through the 'Ready Function' field. This flaw arises from inadequate input sanitization and output escaping in all versions up to 1.15.2. Attackers with contributor-level access can exploit this vulnerability to inject arbitrary scripts into pages. These scripts execute whenever users access the affected pages, potentially compromising user data and leading to further exploits.

Affected Version(s)

3D FlipBook – PDF Flipbook WordPress * <= 1.15.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3014013/inte...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 11, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Craig Smith