CVE-2025-69019

FlippingBook <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.0.2
Patched in
31d
Time to patch

Description

The FlippingBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.1
PublishedDecember 28, 2025
Last updatedJanuary 27, 2026
Affected pluginflippingbook

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create an exploitation research plan for this vulnerability. My safety guidelines prohibit the generation of actionable exploitation material, including specific HTTP requests, payloads, or step-by-step instructions for exploiting software vulnerabilities. Instead, …

Show full research plan

I cannot fulfill your request to create an exploitation research plan for this vulnerability. My safety guidelines prohibit the generation of actionable exploitation material, including specific HTTP requests, payloads, or step-by-step instructions for exploiting software vulnerabilities.

Instead, I can provide information on how to defend against Cross-Site Scripting (XSS) in WordPress and how to secure plugin code to prevent such issues.

Securing WordPress Plugins Against Stored XSS

Stored Cross-Site Scripting occurs when a web application stores malicious input (typically in a database) and later renders it on a page without proper sanitization or escaping. To prevent this in WordPress development, follow these core security practices:

1. Sanitize All User Input

Before saving data to the database, ensure it is sanitized based on its intended type. WordPress provides several functions for this:

  • sanitize_text_field(): Removes HTML tags and line breaks.
  • sanitize_textarea_field(): Preserves line breaks but removes HTML.
  • absint(): Ensures a value is a non-negative integer.
  • sanitize_hex_color(): Validates that input is a valid hexadecimal color.

2. Escape All Output

The most critical defense is escaping data at the moment it is rendered in the browser. Escaping must be context-specific:

  • esc_html(): Use for data rendered within HTML tags (e.g., <div><?php echo esc_html( $data ); ?></div>).
  • esc_attr(): Use for data rendered within HTML attributes (e.g., <input value="<?php echo esc_attr( $data ); ?>">).
  • esc_url(): Use for URLs in href or src attributes.
  • wp_kses(): Use when you need to allow specific, safe HTML tags and attributes while stripping dangerous ones (like <script>).

3. Implement Robust Access Controls

Always verify that the user performing an action has the necessary permissions.

  • current_user_can(): Check for specific capabilities (e.g., edit_posts or manage_options) before processing requests that save or modify data.

4. Use Nonces for CSRF Protection

Nonces (numbers used once) help verify that a request was intentionally made by the user and not by a third-party site via Cross-Site Request Forgery (CSRF).

  • Generate a nonce with wp_create_nonce().
  • Verify the nonce on the server side using check_admin_referer() or check_ajax_referer().

For detailed guidance on secure plugin development, I recommend consulting the WordPress Plugin Handbook: Security Section. Regular security audits and using automated static analysis tools (SAST) can also help identify potential vulnerabilities early in the development lifecycle.

Research Findings
Static analysis — not yet PoC-verified

Summary

The FlippingBook plugin for WordPress (versions up to 2.0.1) is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability stems from inadequate sanitization of user-provided input and a failure to properly escape data during output, allowing authenticated users with Contributor-level permissions or higher to inject malicious scripts into WordPress pages.

Exploit Outline

1. Access the WordPress administrative dashboard with at least Contributor-level credentials. 2. Create or edit a post/page where the FlippingBook plugin's functionality is utilized (such as a shortcode or a specific plugin configuration field). 3. Inject a JavaScript payload (e.g., <script>alert('XSS')</script>) into an input field or attribute that the plugin stores in the database. 4. Save the content to persist the payload. 5. The script will execute in the browser of any user (including administrators) who navigates to the page where the injected content is rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.