DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.29 - Missing Authorization
Description
The DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.29. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.4.29Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan: CVE-2026-49047 - DearFlip Missing Authorization ## 1. Vulnerability Summary The **DearFlip – PDF Flipbook** plugin (<= 2.4.28) is vulnerable to **Missing Authorization** in its AJAX handling logic. Specifically, the plugin registers several AJAX actions intended for ad…
Show full research plan
Exploitation Research Plan: CVE-2026-49047 - DearFlip Missing Authorization
1. Vulnerability Summary
The DearFlip – PDF Flipbook plugin (<= 2.4.28) is vulnerable to Missing Authorization in its AJAX handling logic. Specifically, the plugin registers several AJAX actions intended for administrative or editor-level flipbook management but fails to perform current_user_can() capability checks within the callback functions. This allows authenticated users with Contributor-level access (who can access wp-admin/admin-ajax.php) to perform actions such as cloning flipbooks, which should be restricted to users with higher privileges (Editor/Administrator).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
dflip_clone_post(Vulnerable AJAX action) - HTTP Method:
POST - Parameter:
post_id(The ID of the flipbook post to be cloned) - Authentication: Authenticated; Contributor-level or higher.
- Nonce: Required. The plugin uses
check_ajax_refererwith the actiondflip-admin-nonce. - Impact: Unauthorized creation of flipbook posts (Integrity impact).
3. Code Flow
- Registration: In
inc/admin.php(ordflip.php), the plugin registers the AJAX handler:add_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' ); - Callback Initiation: When a request is sent to
admin-ajax.php?action=dflip_clone_post,dflip_clone_post_callback()is executed. - Nonce Verification: The function calls:
This verifies the CSRF token but does not check user permissions.check_ajax_referer( 'dflip-admin-nonce', 'security' ); - Vulnerable Sink: The function retrieves the
post_idfrom$_POSTand proceeds to duplicate the post and its metadata usingwp_insert_post()or similar logic, without checking ifcurrent_user_can( 'edit_posts' ).
4. Nonce Acquisition Strategy
The nonce is localized for administrative scripts. While a Contributor might not see the "DearFlip" menu, the nonce is often enqueued in the wp-admin head for all users or on pages where DearFlip shortcodes are processed.
Strategy:
- Log in as the Contributor user.
- Navigate to the WordPress Dashboard (
/wp-admin/). - Check if
dflip_admin_paramsis present in the page source. If not, create a post containing a DearFlip shortcode and view it. - Use
browser_evalto extract the nonce.
JavaScript Variable: window.dflip_admin_params?.nonce
Fallback Variable: window.dflip_ajax?.nonce (in some versions)
5. Exploitation Strategy
Step 1: Discover Target Flipbook
Identify a flipbook ID created by an administrator.
- Command:
wp post list --post_type=dflip
Step 2: Acquire Nonce (as Contributor)
- Use
browser_navigateto/wp-admin/as the Contributor. - Execute
browser_eval("window.dflip_admin_params?.nonce")to get thesecurityparameter.
Step 3: Execute Unauthorized Clone
Send the malicious AJAX request via http_request.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=dflip_clone_post&post_id=[TARGET_ID]&security=[NONCE]
Step 4: Verify Success
The response should return a success message (often JSON or the new post ID).
6. Test Data Setup
- Target Content: Create a flipbook as an Administrator.
wp post create --post_type=dflip --post_title="Admin Secret Flipbook" --post_status=publish - Attacker User: Create a user with the Contributor role.
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Shortcode Page (If needed for nonce):
wp post create --post_type=page --post_title="Flipbook View" --post_content='[dflip id="TARGET_ID"][/dflip]' --post_status=publish
7. Expected Results
- The
admin-ajax.phprequest returns a200 OKresponse with a success status (e.g.,{"success": true, "data": ...}). - A new post of type
dflipis created in the database, which is a duplicate of the Administrator's flipbook.
8. Verification Steps
- Check Post Count: Verify the number of
dflipposts has increased.wp post list --post_type=dflip - Check Ownership: See if the new flipbook is owned by the Contributor or if the Contributor successfully created content they weren't authorized to.
- Database Audit:
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_type='dflip' ORDER BY ID DESC LIMIT 1;"
9. Alternative Approaches
If dflip_clone_post is patched or not available, test other AJAX actions registered in inc/admin.php (or similar logic files):
dflip_save_settings: Check if global settings can be updated by a Contributor.dflip_trash_post: Check if a Contributor can delete flipbooks they don't own.dflip_create_flipbook: Check if direct creation is possible without cloning.
In all cases, the core of the exploit remains the same: extracting the dflip-admin-nonce and calling the restricted AJAX action without a capability check.
Summary
The DearFlip plugin for WordPress lacks capability checks in its AJAX handler for cloning posts. This allows authenticated users with at least contributor-level privileges to perform unauthorized actions, such as duplicating flipbooks, by exploiting the missing current_user_can() validation.
Vulnerable Code
// inc/admin.php add_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' ); function dflip_clone_post_callback() { // Only verifies the nonce, fails to check user capabilities check_ajax_referer( 'dflip-admin-nonce', 'security' ); $post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0; if ($post_id > 0) { // ... logic to clone the post ... } }
Security Fix
@@ -124,6 +124,10 @@ function dflip_clone_post_callback() { check_ajax_referer( 'dflip-admin-nonce', 'security' ); + if ( ! current_user_can( 'edit_posts' ) ) { + wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'dflip' ) ) ); + } + $post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0; if ($post_id > 0) {
Exploit Outline
The exploit requires an authenticated session with Contributor-level access or higher. 1. Access the WordPress admin dashboard to retrieve the CSRF nonce stored in the 'dflip_admin_params' JavaScript object (specifically the 'nonce' field). 2. Identify the 'post_id' of an existing flipbook to be cloned. 3. Send a POST request to '/wp-admin/admin-ajax.php' with the following parameters: 'action' set to 'dflip_clone_post', 'security' set to the retrieved nonce, and 'post_id' set to the target flipbook ID. 4. Because the plugin only checks the nonce and not user capabilities, the server will process the request and create a duplicate of the specified flipbook.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.