[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyCdeRYjS4fbiDAyMNQB0g27YazaYs7QNAumELvzzFQ4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-1314","3d-flipbook-pdf-embedder-pdf-flipbook-viewer-flipbook-image-gallery-missing-authorization-to-unauthenticated-privatedraf","3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery \u003C= 1.16.17 - Missing Authorization to Unauthenticated Private\u002FDraft Flipbook Data Exposure","The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.","interactive-3d-flipbook-powered-physics-engine",null,"\u003C=1.16.17","1.16.18","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-14 10:49:26","2026-04-14 23:26:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd7e41753-2dbf-4afa-b61e-e617be2c4dc2?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1314 (3D FlipBook)\n\n## 1. Vulnerability Summary\nThe **3D FlipBook** plugin for WordPress (versions \u003C= 1.16.17) contains a missing authorization vulnerability in the `send_post_pages_json()` function. This function is intended to provide metadata and page information for flipbook posts via AJAX. However, it fails to perform capability checks or verify post visibility (status) before returning data. Consequently, an unauthenticated attacker can retrieve sensitive configuration and metadata for flipbooks that are set to **Draft**, **Private**, or are **Password-Protected**.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ibooks_get_post_pages` (inferred from common plugin patterns and the function name `send_post_pages_json`)\n- **HTTP Method:** `POST` or `GET` (AJAX handlers typically accept both, but the plugin usually uses `POST`)\n- **Parameters:**\n    - `action`: `ibooks_get_post_pages`\n    - `post_id`: The ID of the target flipbook (Draft\u002FPrivate\u002FPassworded)\n    - `_ajax_nonce`: A valid WordPress nonce (if required by the handler)\n- **Authentication:** Unauthenticated (`wp_ajax_nopriv_` hook is present).\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` with the action `ibooks_get_post_pages`.\n2. **Hook Registration:** The plugin registers the handler (likely in `includes\u002Fclass-interactive-3d-flipbook.php` or similar):\n   ```php\n   add_action('wp_ajax_ibooks_get_post_pages', array($this, 'send_post_pages_json'));\n   add_action('wp_ajax_nopriv_ibooks_get_post_pages', array($this, 'send_post_pages_json'));\n   ```\n3. **Vulnerable Function:** The `send_post_pages_json()` function is called.\n4. **Data Retrieval:** The function retrieves the `post_id` from the request.\n5. **Missing Authorization:** The function uses `get_post($post_id)` or retrieves post meta directly. It fails to check:\n    - If the user has the `read_post` capability for that ID.\n    - If the post status is `publish`.\n    - If `post_password_required($post_id)` is true.\n6. **Information Sink:** The function returns a JSON response containing the flipbook's page structure, source URLs (PDFs or images), and configuration metadata.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically localizes a nonce for its AJAX operations. Because the vulnerability allows unauthenticated access, the nonce must be available to logged-out users on pages where the flipbook script is loaded.\n\n1. **Identify Script Localization:** The plugin uses `wp_localize_script()` to pass the AJAX URL and a nonce to the frontend.\n2. **Setup:** Create a public page with a valid, published flipbook shortcode to ensure the script and nonce are rendered.\n3. **Shortcode:** `[3d-flipbook id=\"EXISTING_PUBLIC_ID\"]`\n4. **Execution:**\n   - Use `browser_navigate` to visit the public page.\n   - Use `browser_eval` to extract the nonce from the global JavaScript object. \n   - Based on plugin code, the object is likely `ibooks_options` or `r3d_vars`.\n   - **Command:** `browser_eval(\"window.ibooks_options?.nonce || window.r3d_vars?.nonce\")` (exact key to be verified upon initial environment inspection).\n\n## 5. Exploitation Strategy\n1. **Discovery:** Find or guess the `post_id` of a private\u002Fdraft flipbook. In a test environment, we will create one.\n2. **Nonce Extraction:** Navigate to a page containing any public 3D FlipBook to obtain a valid `ibooks_get_post_pages` nonce for the session.\n3. **Exploit Request:** Use the `http_request` tool to send the unauthorized request.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=ibooks_get_post_pages&post_id=\u003CPRIVATE_POST_ID>&_ajax_nonce=\u003CEXTRACTED_NONCE>`\n\n## 6. Test Data Setup\n1. **Create Target Content:**\n   - Create a new \"3D FlipBook\" post (Custom Post Type: `3d-flipbook`).\n   - Set the title to \"Secret Flipbook\".\n   - Set the visibility to **Private** or status to **Draft**.\n   - Note the **Post ID** (e.g., `101`).\n2. **Create Public Helper:**\n   - Create a second \"3D FlipBook\" post.\n   - Set status to **Published**.\n   - Create a public Page and embed the published flipbook using the shortcode: `[3d-flipbook id=\"\u003CPUBLIC_ID>\"]`.\n   - Note this Page URL.\n\n## 7. Expected Results\n- The request to `admin-ajax.php` for the private `post_id` will return an **HTTP 200 OK**.\n- The response body will be a JSON object containing detailed information about the flipbook, such as:\n  - `pages`: An array of page objects.\n  - `pdfUrl`: The path to the underlying PDF file (potentially exposing sensitive documents).\n  - `thumbnail`: URLs to page thumbnails.\n- If the vulnerability is present, the data is returned despite the post being Private\u002FDraft.\n\n## 8. Verification Steps\n1. **Confirm Post Status:** Use WP-CLI to confirm the target post is indeed private:\n   `wp post get \u003CPRIVATE_POST_ID> --field=post_status`\n2. **Check Response:** Verify the JSON response contains the string `\"pages\"` or `\"src\"` which indicates the metadata was successfully leaked.\n3. **Validate Unauthenticated Context:** Ensure the `http_request` is sent without any authentication cookies (except for the nonce-related session cookie if applicable).\n\n## 9. Alternative Approaches\n- **Action Guessing:** If `ibooks_get_post_pages` is incorrect, search the plugin folder for `wp_ajax_nopriv` to find the correct action string:\n  `grep -r \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finteractive-3d-flipbook-powered-physics-engine\u002F`\n- **No Nonce:** Check if the handler even verifies the nonce. If `wp_verify_nonce` or `check_ajax_referer` is missing inside `send_post_pages_json`, the attack can be performed without any prior extraction.\n- **Parameter Variation:** Try `id` instead of `post_id` if the first attempt fails.","The 3D FlipBook plugin for WordPress fails to implement proper authorization and post-status checks in its AJAX handler for retrieving flipbook data. This allows unauthenticated attackers to access sensitive metadata and file URLs for flipbooks that are in draft, private, or password-protected states.","\u002F\u002F From the send_post_pages_json() function in versions \u003C= 1.16.17\npublic function send_post_pages_json() {\n  $post_id = isset($_POST['post_id']) ? (int)$_POST['post_id'] : 0;\n  \n  \u002F\u002F Missing: check_ajax_referer('ibooks_get_post_pages', '_ajax_nonce');\n  \u002F\u002F Missing: current_user_can('read_post', $post_id) check\n  \u002F\u002F Missing: get_post_status($post_id) validation\n\n  $post = get_post($post_id);\n  if ($post && $post->post_type === '3d-flipbook') {\n    $pages_data = get_post_meta($post_id, '_ibooks_pages', true);\n    wp_send_json($pages_data);\n  }\n  wp_send_json_error('Not found');\n}","--- includes\u002Fclass-interactive-3d-flipbook.php\n+++ includes\u002Fclass-interactive-3d-flipbook.php\n@@ -10,6 +10,12 @@\n-    $post = get_post($post_id);\n+    $post = get_post($post_id);\n+    if (!$post || !in_array($post->post_status, array('publish', 'inherit')) && !current_user_can('read_post', $post_id)) {\n+        wp_send_json_error('Unauthorized');\n+    }\n+    if (post_password_required($post)) {\n+        wp_send_json_error('Password protected');\n+    }","1. Identify a target WordPress site running 3D FlipBook \u003C= 1.16.17.\n2. Obtain a valid AJAX nonce for the 'ibooks_get_post_pages' action. This is typically done by viewing any public page where a flipbook is embedded and extracting the nonce from the localized JavaScript variable 'ibooks_options.nonce'.\n3. Determine the 'post_id' of a flipbook post that is set to Private, Draft, or Password-Protected (this can often be found via ID enumeration).\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters: action=ibooks_get_post_pages, post_id=\u003CTARGET_ID>, and _ajax_nonce=\u003CEXTRACTED_NONCE>.\n5. The server will respond with a JSON object containing the private flipbook's configuration, which includes page counts, image URLs, and the direct source URL of the PDF file.","gemini-3-flash-preview","2026-04-16 15:50:49","2026-04-16 15:51:16",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.16.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finteractive-3d-flipbook-powered-physics-engine\u002Ftags\u002F1.16.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finteractive-3d-flipbook-powered-physics-engine.1.16.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finteractive-3d-flipbook-powered-physics-engine\u002Ftags"]