CVE-2025-5289 in FlipBook Plugininfo

Summary

by MITRE • 06/21/2025

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2025

The vulnerability CVE-2025-5289 affects the 3D FlipBook WordPress plugin, specifically targeting versions up to and including 1.16.15. This security flaw resides within the plugin's handling of user input parameters, making it particularly dangerous for WordPress sites that utilize block-based themes. The vulnerability manifests as a stored cross-site scripting issue that occurs when the plugin processes the 'style' and 'mode' parameters, creating a persistent security risk that can be exploited by attackers with relatively low privileges.

The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with Contributor-level access or higher submit content through the affected parameters, the plugin fails to properly validate or escape the input data before storing it in the database. This allows malicious scripts to be permanently embedded within the plugin's functionality, creating a persistent threat that will execute whenever any user accesses pages containing the injected content. The vulnerability specifically impacts block-based themes because these themes process and render content differently than traditional themes, creating additional attack surface for the stored XSS exploit.

The operational impact of this vulnerability is significant for WordPress administrators and content creators who rely on the 3D FlipBook plugin. Attackers with Contributor access can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further exploitation of the compromised WordPress installation. The stored nature of the vulnerability means that once injected, the malicious code persists indefinitely until manually removed by administrators, making it particularly dangerous for sites with high user activity or those that frequently update content. This vulnerability undermines the security model of WordPress by allowing low-privilege users to create persistent threats that can affect all site visitors.

Mitigation strategies for this vulnerability should focus on immediate patching of the affected plugin to the latest version where the XSS issues have been resolved. Administrators should also implement additional security measures including regular monitoring of user activity and content changes, particularly for users with Contributor-level access or higher. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and can be categorized under ATT&CK technique T1566.001 for malicious content injection. Organizations should also consider implementing content security policies and input validation measures at the web application firewall level to provide additional defense-in-depth protection against similar vulnerabilities. Regular security audits of WordPress plugins and themes remain essential for identifying and addressing potential security gaps before they can be exploited by malicious actors.

Reservation

05/27/2025

Disclosure

06/21/2025

Moderation

accepted

CPE

ready

EPSS

0.00205

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!