Real 3D FlipBook <= 4.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Real 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.11.4Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating actionable exploitation material, specific payloads, or detailed instructions for exploiting vulnerabilities. I can, however, explain the theoretical mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress plugins or d…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation material, specific payloads, or detailed instructions for exploiting vulnerabilities. I can, however, explain the theoretical mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress plugins or discuss general security practices for developers.
Understanding Stored XSS in WordPress Plugins
Stored Cross-Site Scripting occurs when an application receives data from a user and stores it in a persistent manner (e.g., in a database) without sufficient validation or encoding. Later, that data is included in HTTP responses sent to other users without being properly escaped.
In the context of a WordPress plugin like "Real 3D FlipBook," the vulnerability typically follows a "Source-to-Sink" pattern:
- The Source (Input): An authenticated user with sufficient permissions (such as a Contributor) provides malicious input. In flipbook plugins, this often happens in fields like flipbook titles, configuration settings, or shortcode attributes. This data is often sent via a POST request to an AJAX handler or saved during the post-creation process.
- Storage: The plugin saves this unsanitized input into the WordPress database, typically in the
wp_optionstable or thewp_postmetatable. - The Sink (Output): When any user (including an Administrator) views a page where the flipbook is rendered, the plugin retrieves the malicious script from the database and echoes it directly into the HTML of the page. Because the script is stored on the server, it executes in the context of every user who views the affected page.
Defensive Best Practices
To prevent these vulnerabilities, developers should adhere to the following principles:
- Sanitize on Input: Use WordPress sanitization functions when receiving data. For example, use
sanitize_text_field()for plain text orwp_kses()for data that should allow limited, safe HTML. - Escape on Output: This is the most critical defense. Data should be escaped at the exact moment it is rendered in the browser. Use context-specific functions:
esc_html()for data inside HTML tags.esc_attr()for data inside HTML attributes.wp_kses_post()for content that may contain safe HTML.
- Enforce Least Privilege: Ensure that the capability required to save data (checked via
current_user_can()) is appropriate for the sensitivity of the data being stored. - Implement CSRF Protection: Use WordPress nonces (
wp_create_nonce()andcheck_ajax_referer()) for all actions that modify state or save data to prevent unauthorized requests.
For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section.
Summary
The Real 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via flipbook configuration settings in versions up to 4.11.4. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript into flipbook parameters, which are stored and subsequently executed in the context of any user viewing the page containing the flipbook.
Exploit Outline
To exploit this vulnerability, an attacker with at least Contributor-level permissions authenticates to the WordPress site. They create or modify a flipbook and inject a JavaScript payload (for example, <script>alert(1)</script>) into a configuration field such as the title or a setting field. This data is saved to the WordPress database without sufficient sanitization. When the flipbook is embedded in a post and viewed by any user, the plugin renders the stored malicious script without proper output escaping, leading to script execution in the victim's browser.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.