CVE-2026-49047

DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.29 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.4.30
Patched in
23d
Time to patch

Description

The DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.29. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.29
PublishedMay 27, 2026
Last updatedJune 18, 2026
Affected plugin3d-flipbook-dflip-lite

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-49047 - DearFlip Missing Authorization ## 1. Vulnerability Summary The **DearFlip – PDF Flipbook** plugin (<= 2.4.28) is vulnerable to **Missing Authorization** in its AJAX handling logic. Specifically, the plugin registers several AJAX actions intended for ad…

Show full research plan

Exploitation Research Plan: CVE-2026-49047 - DearFlip Missing Authorization

1. Vulnerability Summary

The DearFlip – PDF Flipbook plugin (<= 2.4.28) is vulnerable to Missing Authorization in its AJAX handling logic. Specifically, the plugin registers several AJAX actions intended for administrative or editor-level flipbook management but fails to perform current_user_can() capability checks within the callback functions. This allows authenticated users with Contributor-level access (who can access wp-admin/admin-ajax.php) to perform actions such as cloning flipbooks, which should be restricted to users with higher privileges (Editor/Administrator).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: dflip_clone_post (Vulnerable AJAX action)
  • HTTP Method: POST
  • Parameter: post_id (The ID of the flipbook post to be cloned)
  • Authentication: Authenticated; Contributor-level or higher.
  • Nonce: Required. The plugin uses check_ajax_referer with the action dflip-admin-nonce.
  • Impact: Unauthorized creation of flipbook posts (Integrity impact).

3. Code Flow

  1. Registration: In inc/admin.php (or dflip.php), the plugin registers the AJAX handler:
    add_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' );
    
  2. Callback Initiation: When a request is sent to admin-ajax.php?action=dflip_clone_post, dflip_clone_post_callback() is executed.
  3. Nonce Verification: The function calls:
    check_ajax_referer( 'dflip-admin-nonce', 'security' );
    
    This verifies the CSRF token but does not check user permissions.
  4. Vulnerable Sink: The function retrieves the post_id from $_POST and proceeds to duplicate the post and its metadata using wp_insert_post() or similar logic, without checking if current_user_can( 'edit_posts' ).

4. Nonce Acquisition Strategy

The nonce is localized for administrative scripts. While a Contributor might not see the "DearFlip" menu, the nonce is often enqueued in the wp-admin head for all users or on pages where DearFlip shortcodes are processed.

Strategy:

  1. Log in as the Contributor user.
  2. Navigate to the WordPress Dashboard (/wp-admin/).
  3. Check if dflip_admin_params is present in the page source. If not, create a post containing a DearFlip shortcode and view it.
  4. Use browser_eval to extract the nonce.

JavaScript Variable: window.dflip_admin_params?.nonce
Fallback Variable: window.dflip_ajax?.nonce (in some versions)

5. Exploitation Strategy

Step 1: Discover Target Flipbook

Identify a flipbook ID created by an administrator.

  • Command: wp post list --post_type=dflip

Step 2: Acquire Nonce (as Contributor)

  1. Use browser_navigate to /wp-admin/ as the Contributor.
  2. Execute browser_eval("window.dflip_admin_params?.nonce") to get the security parameter.

Step 3: Execute Unauthorized Clone

Send the malicious AJAX request via http_request.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=dflip_clone_post&post_id=[TARGET_ID]&security=[NONCE]
    

Step 4: Verify Success

The response should return a success message (often JSON or the new post ID).

6. Test Data Setup

  1. Target Content: Create a flipbook as an Administrator.
    wp post create --post_type=dflip --post_title="Admin Secret Flipbook" --post_status=publish
    
  2. Attacker User: Create a user with the Contributor role.
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
    
  3. Shortcode Page (If needed for nonce):
    wp post create --post_type=page --post_title="Flipbook View" --post_content='[dflip id="TARGET_ID"][/dflip]' --post_status=publish
    

7. Expected Results

  • The admin-ajax.php request returns a 200 OK response with a success status (e.g., {"success": true, "data": ...}).
  • A new post of type dflip is created in the database, which is a duplicate of the Administrator's flipbook.

8. Verification Steps

  1. Check Post Count: Verify the number of dflip posts has increased.
    wp post list --post_type=dflip
    
  2. Check Ownership: See if the new flipbook is owned by the Contributor or if the Contributor successfully created content they weren't authorized to.
  3. Database Audit:
    wp db query "SELECT ID, post_title FROM wp_posts WHERE post_type='dflip' ORDER BY ID DESC LIMIT 1;"
    

9. Alternative Approaches

If dflip_clone_post is patched or not available, test other AJAX actions registered in inc/admin.php (or similar logic files):

  • dflip_save_settings: Check if global settings can be updated by a Contributor.
  • dflip_trash_post: Check if a Contributor can delete flipbooks they don't own.
  • dflip_create_flipbook: Check if direct creation is possible without cloning.

In all cases, the core of the exploit remains the same: extracting the dflip-admin-nonce and calling the restricted AJAX action without a capability check.

Research Findings
Static analysis — not yet PoC-verified

Summary

The DearFlip plugin for WordPress lacks capability checks in its AJAX handler for cloning posts. This allows authenticated users with at least contributor-level privileges to perform unauthorized actions, such as duplicating flipbooks, by exploiting the missing current_user_can() validation.

Vulnerable Code

// inc/admin.php
add_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' );

function dflip_clone_post_callback() {
    // Only verifies the nonce, fails to check user capabilities
    check_ajax_referer( 'dflip-admin-nonce', 'security' );

    $post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0;
    if ($post_id > 0) {
        // ... logic to clone the post ...
    }
}

Security Fix

--- a/inc/admin.php
+++ b/inc/admin.php
@@ -124,6 +124,10 @@
 function dflip_clone_post_callback() {
 	check_ajax_referer( 'dflip-admin-nonce', 'security' );
 
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'dflip' ) ) );
+	}
+
 	$post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0;
 	if ($post_id > 0) {

Exploit Outline

The exploit requires an authenticated session with Contributor-level access or higher. 1. Access the WordPress admin dashboard to retrieve the CSRF nonce stored in the 'dflip_admin_params' JavaScript object (specifically the 'nonce' field). 2. Identify the 'post_id' of an existing flipbook to be cloned. 3. Send a POST request to '/wp-admin/admin-ajax.php' with the following parameters: 'action' set to 'dflip_clone_post', 'security' set to the retrieved nonce, and 'post_id' set to the target flipbook ID. 4. Because the plugin only checks the nonce and not user capabilities, the server will process the request and create a duplicate of the specified flipbook.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.