[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffLT4YgIi8u_6YagxKntfhnDMUaeCiMs3yuyz_1_8WAQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-49047","dearflip-pdf-flipbook-3d-flipbook-pdf-embed-pdf-viewer-missing-authorization","DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer \u003C= 2.4.29 - Missing Authorization","The DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.29. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","3d-flipbook-dflip-lite",null,"\u003C=2.4.29","2.4.30","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-18 18:28:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb3146b41-27d5-465d-a9ec-af4c50a0d612?source=api-prod",23,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-49047 - DearFlip Missing Authorization\n\n## 1. Vulnerability Summary\nThe **DearFlip – PDF Flipbook** plugin (\u003C= 2.4.28) is vulnerable to **Missing Authorization** in its AJAX handling logic. Specifically, the plugin registers several AJAX actions intended for administrative or editor-level flipbook management but fails to perform `current_user_can()` capability checks within the callback functions. This allows authenticated users with **Contributor-level** access (who can access `wp-admin\u002Fadmin-ajax.php`) to perform actions such as cloning flipbooks, which should be restricted to users with higher privileges (Editor\u002FAdministrator).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `dflip_clone_post` (Vulnerable AJAX action)\n- **HTTP Method:** `POST`\n- **Parameter:** `post_id` (The ID of the flipbook post to be cloned)\n- **Authentication:** Authenticated; Contributor-level or higher.\n- **Nonce:** Required. The plugin uses `check_ajax_referer` with the action `dflip-admin-nonce`.\n- **Impact:** Unauthorized creation of flipbook posts (Integrity impact).\n\n## 3. Code Flow\n1. **Registration:** In `inc\u002Fadmin.php` (or `dflip.php`), the plugin registers the AJAX handler:\n   ```php\n   add_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' );\n   ```\n2. **Callback Initiation:** When a request is sent to `admin-ajax.php?action=dflip_clone_post`, `dflip_clone_post_callback()` is executed.\n3. **Nonce Verification:** The function calls:\n   ```php\n   check_ajax_referer( 'dflip-admin-nonce', 'security' );\n   ```\n   This verifies the CSRF token but does not check user permissions.\n4. **Vulnerable Sink:** The function retrieves the `post_id` from `$_POST` and proceeds to duplicate the post and its metadata using `wp_insert_post()` or similar logic, without checking if `current_user_can( 'edit_posts' )`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for administrative scripts. While a Contributor might not see the \"DearFlip\" menu, the nonce is often enqueued in the `wp-admin` head for all users or on pages where DearFlip shortcodes are processed.\n\n**Strategy:**\n1. Log in as the **Contributor** user.\n2. Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n3. Check if `dflip_admin_params` is present in the page source. If not, create a post containing a DearFlip shortcode and view it.\n4. Use `browser_eval` to extract the nonce.\n\n**JavaScript Variable:** `window.dflip_admin_params?.nonce`\n**Fallback Variable:** `window.dflip_ajax?.nonce` (in some versions)\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Flipbook\nIdentify a flipbook ID created by an administrator.\n- Command: `wp post list --post_type=dflip`\n\n### Step 2: Acquire Nonce (as Contributor)\n1. Use `browser_navigate` to `\u002Fwp-admin\u002F` as the Contributor.\n2. Execute `browser_eval(\"window.dflip_admin_params?.nonce\")` to get the `security` parameter.\n\n### Step 3: Execute Unauthorized Clone\nSend the malicious AJAX request via `http_request`.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=dflip_clone_post&post_id=[TARGET_ID]&security=[NONCE]\n  ```\n\n### Step 4: Verify Success\nThe response should return a success message (often JSON or the new post ID).\n\n## 6. Test Data Setup\n1. **Target Content:** Create a flipbook as an Administrator.\n   ```bash\n   wp post create --post_type=dflip --post_title=\"Admin Secret Flipbook\" --post_status=publish\n   ```\n2. **Attacker User:** Create a user with the Contributor role.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Shortcode Page (If needed for nonce):**\n   ```bash\n   wp post create --post_type=page --post_title=\"Flipbook View\" --post_content='[dflip id=\"TARGET_ID\"][\u002Fdflip]' --post_status=publish\n   ```\n\n## 7. Expected Results\n- The `admin-ajax.php` request returns a `200 OK` response with a success status (e.g., `{\"success\": true, \"data\": ...}`).\n- A new post of type `dflip` is created in the database, which is a duplicate of the Administrator's flipbook.\n\n## 8. Verification Steps\n1. **Check Post Count:** Verify the number of `dflip` posts has increased.\n   ```bash\n   wp post list --post_type=dflip\n   ```\n2. **Check Ownership:** See if the new flipbook is owned by the Contributor or if the Contributor successfully created content they weren't authorized to.\n3. **Database Audit:**\n   ```bash\n   wp db query \"SELECT ID, post_title FROM wp_posts WHERE post_type='dflip' ORDER BY ID DESC LIMIT 1;\"\n   ```\n\n## 9. Alternative Approaches\nIf `dflip_clone_post` is patched or not available, test other AJAX actions registered in `inc\u002Fadmin.php` (or similar logic files):\n- `dflip_save_settings`: Check if global settings can be updated by a Contributor.\n- `dflip_trash_post`: Check if a Contributor can delete flipbooks they don't own.\n- `dflip_create_flipbook`: Check if direct creation is possible without cloning.\n\nIn all cases, the core of the exploit remains the same: extracting the `dflip-admin-nonce` and calling the restricted AJAX action without a capability check.","The DearFlip plugin for WordPress lacks capability checks in its AJAX handler for cloning posts. This allows authenticated users with at least contributor-level privileges to perform unauthorized actions, such as duplicating flipbooks, by exploiting the missing current_user_can() validation.","\u002F\u002F inc\u002Fadmin.php\nadd_action( 'wp_ajax_dflip_clone_post', 'dflip_clone_post_callback' );\n\nfunction dflip_clone_post_callback() {\n    \u002F\u002F Only verifies the nonce, fails to check user capabilities\n    check_ajax_referer( 'dflip-admin-nonce', 'security' );\n\n    $post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0;\n    if ($post_id > 0) {\n        \u002F\u002F ... logic to clone the post ...\n    }\n}","--- a\u002Finc\u002Fadmin.php\n+++ b\u002Finc\u002Fadmin.php\n@@ -124,6 +124,10 @@\n function dflip_clone_post_callback() {\n \tcheck_ajax_referer( 'dflip-admin-nonce', 'security' );\n \n+\tif ( ! current_user_can( 'edit_posts' ) ) {\n+\t\twp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'dflip' ) ) );\n+\t}\n+\n \t$post_id = (isset($_POST['post_id'])) ? intval($_POST['post_id']) : 0;\n \tif ($post_id > 0) {","The exploit requires an authenticated session with Contributor-level access or higher. \n1. Access the WordPress admin dashboard to retrieve the CSRF nonce stored in the 'dflip_admin_params' JavaScript object (specifically the 'nonce' field).\n2. Identify the 'post_id' of an existing flipbook to be cloned.\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters: 'action' set to 'dflip_clone_post', 'security' set to the retrieved nonce, and 'post_id' set to the target flipbook ID.\n4. Because the plugin only checks the nonce and not user capabilities, the server will process the request and create a duplicate of the specified flipbook.","gemini-3-flash-preview","2026-06-04 18:20:17","2026-06-04 18:20:45",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","2.4.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002F3d-flipbook-dflip-lite\u002Ftags\u002F2.4.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002F3d-flipbook-dflip-lite.2.4.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002F3d-flipbook-dflip-lite\u002Ftags"]