CVE-2024-1081 in 3D FlipBook Plugin
Summary
by MITRE • 02/21/2024
The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1081 affects the 3D FlipBook - PDF Flipbook WordPress plugin, a popular tool for creating interactive PDF flipbooks within WordPress environments. This security flaw exists in all versions up to and including 1.15.3, representing a significant risk to WordPress sites that utilize this plugin. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's bookmark functionality, creating an exploitable condition that allows malicious actors to inject persistent malicious scripts into the WordPress environment.
The technical implementation of this vulnerability occurs through the plugin's bookmark feature, which fails to properly sanitize user input before storing it in the database. When authenticated users with contributor-level permissions or higher access the bookmark functionality, they can inject malicious JavaScript code that gets stored persistently within the plugin's data structures. This stored content is then executed whenever any user accesses pages containing the malicious bookmark data, making it a classic case of stored cross-site scripting vulnerability. The flaw operates at the intersection of improper input validation and insufficient output escaping, where user-supplied data flows directly into the application's output without adequate sanitization.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within the WordPress environment. Contributors and higher-level users typically have significant privileges within WordPress sites, including the ability to create and modify content, manage media, and potentially access sensitive administrative functions. Once an attacker successfully injects malicious scripts through the bookmark feature, they can execute arbitrary code in the context of any user who views the affected pages, potentially leading to session hijacking, data exfiltration, or further privilege escalation. The vulnerability's persistence means that the malicious scripts remain active until manually removed from the database, making it particularly dangerous for long-term compromise of WordPress installations.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses cross-site scripting vulnerabilities resulting from inadequate input sanitization. The ATT&CK framework categorizes this as a form of code injection, potentially enabling techniques such as credential theft through session hijacking or privilege escalation within the compromised WordPress environment. Organizations using this plugin should immediately implement mitigations including updating to the latest plugin version, implementing role-based access controls to limit contributor privileges, and conducting thorough security audits of stored bookmark data. The vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly within content management systems where user-generated content flows through multiple processing layers before reaching end users.