CVE-2023-6776 in 3D Flipbook Plugininfo

Summary

by MITRE • 01/11/2024

The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Ready Function’ field in all versions up to, and including, 1.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/11/2026

The CVE-2023-6776 vulnerability affects the 3D FlipBook plugin for WordPress, representing a critical stored cross-site scripting weakness that compromises user security across multiple versions through 1.15.2. This vulnerability specifically targets the 'Ready Function' field within the plugin's administrative interface, where insufficient input sanitization and output escaping create exploitable conditions for malicious code injection. The flaw enables authenticated attackers who possess contributor-level access or higher to introduce persistent malicious scripts that execute whenever any user accesses pages containing the injected content, fundamentally undermining the integrity of the WordPress platform and its user base.

The technical exploitation of this vulnerability stems from inadequate validation mechanisms within the plugin's input processing pipeline. When administrators or contributors submit data through the 'Ready Function' field, the plugin fails to properly sanitize or escape the input before storing it in the database. This stored data then gets rendered without proper output encoding when pages are accessed by other users, creating a classic stored XSS attack vector. The vulnerability operates under CWE-79 which categorizes improper neutralization of input during web output creation as a fundamental weakness in web application security. The attack requires minimal privileges, as contributors can execute this exploit, making the vulnerability particularly concerning for WordPress installations where multiple users have varying access levels.

The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform a wide range of malicious activities including session hijacking, credential theft, and redirection to malicious websites. When compromised users access pages containing the injected scripts, their browsers execute the malicious code in the context of the vulnerable site, potentially allowing attackers to steal cookies, modify page content, or redirect users to phishing sites. This threat model aligns with ATT&CK technique T1531 which describes the use of malicious code to gain access to user sessions and credentials. The vulnerability's persistence through stored data means that the malicious scripts continue to execute for all affected users until the malicious content is removed from the database, creating a long-term security risk for the affected WordPress installations.

Organizations and WordPress administrators should immediately implement multiple layers of mitigation strategies to address this vulnerability. The primary recommendation involves updating the 3D FlipBook plugin to the latest version where the XSS vulnerability has been patched, though this requires careful testing to ensure compatibility with existing installations. Additionally, implementing proper input validation and output escaping mechanisms at the application level can provide defense-in-depth protection. Network-based solutions such as web application firewalls can offer temporary protection by filtering malicious payloads before they reach the application. Access control measures should also be reviewed to minimize the risk of unauthorized users gaining contributor-level privileges, as the vulnerability requires at least this level of access to be exploited. Regular security audits and penetration testing of WordPress installations can help identify similar vulnerabilities before they can be exploited by malicious actors.

Responsible

Wordfence

Reservation

12/13/2023

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00335

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!