Real 3D FlipBook <= 4.19.1 - Missing Authorization

This research plan outlines the steps to investigate and exploit CVE-2026-25423, a missing authorization vulnerability in the Real 3D FlipBook plugin for WordPress.

1. Vulnerability Summary

The Real 3D FlipBook plugin (lite version) up to 4.19.1 contains a vulnerability where a specific AJAX-registered function fails to perform a capability check (e.g., current_user_can('manage_options')). While the function is protected by a nonce, the nonce is likely available to any user with "Author" level access or higher. This allows an authenticated attacker to perform unauthorized modifications to flipbooks or plugin settings, depending on which function is missing the check.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: r3d_save_flipbook or real3d_flipbook_save_settings (inferred - to be verified).
• Method: POST
• Authentication: Authenticated, Author-level (capability: edit_posts).
• Vulnerability Type: Missing Authorization (IDOR/Privilege Escalation).
• Preconditions:
  • Plugin installed and active (version <= 4.19.1).
  • Attacker has Author-level credentials.
  • A valid nonce for the specific action.

3. Code Flow (Inferred)

1. The plugin registers an AJAX action for administrators, typically in the main plugin file or an admin-specific include:
   add_action('wp_ajax_r3d_save_flipbook', 'r3d_save_flipbook_callback');
2. The callback function r3d_save_flipbook_callback (inferred) is called when a request is made to admin-ajax.php?action=r3d_save_flipbook.
3. The function calls check_ajax_referer('r3d_nonce', 'security') (inferred) to verify the CSRF token.
4. The Vulnerability: The function fails to call current_user_can('manage_options'). Since Authors have access to the WordPress admin area, they may be able to obtain the nonce and trigger the function, even though they should not be allowed to manage flipbooks globally.
5. The function proceeds to update flipbook settings in the database (likely using $wpdb or update_option).

4. Nonce Acquisition Strategy

Real 3D FlipBook typically exposes its admin data via wp_localize_script. We will use an Author account to access the admin dashboard and extract the required nonce.

1. Identify Nonce Location: Search the source for wp_localize_script.
   • Search: grep -r "wp_localize_script" .
   • Look for a variable like real3d_flipbook_admin or r3d_admin.
2. Verify Nonce Key: Look for the key (e.g., nonce or security) within the localized object.
3. Extraction Procedure:
   • Login as Author.
   • Navigate to the Real 3D Flipbook admin page (if visible to Authors) or any admin page where the script is enqueued.
   • Execute JS: browser_eval("window.r3d_admin?.nonce") (Replace r3d_admin and nonce with actual keys found in step 1).

5. Exploitation Strategy

The goal is to modify an existing flipbook or create a new one using an Author account.

Step 1: Reconnaissance

• List existing flipbooks via WP-CLI: wp r3d_flipbook list (if CLI command exists) or inspect the wp_posts table where post_type='r3d_flipbook'.
• Determine the exact AJAX action and parameter names by searching the source for add_action('wp_ajax_....

Step 2: Nonce Extraction

• Use the browser_navigate and browser_eval tools to grab the nonce as an Author.

Step 3: Unauthorized Modification

• Construct a POST request to admin-ajax.php.
• Action: r3d_save_flipbook (Verify via grep).
• Payload:

  {
      "action": "r3d_save_flipbook",
      "security": "[NONCE_EXTRACTED]",
      "id": "[TARGET_FLIPBOOK_ID]",
      "name": "Exploited Flipbook",
      "settings": "{\"flipbook_name\":\"Hacked\", ...}"
  }
  

• Tool: http_request.

6. Test Data Setup

1. Install the plugin real3d-flipbook-lite v4.19.1.
2. Create an administrator user.
3. Create an "Author" level user (e.g., attacker_author).
4. As Administrator, create one flipbook via the plugin UI so there is a target ID to modify.
5. Find the ID of the created flipbook: wp post list --post_type=r3d_flipbook.

7. Expected Results

• The http_request returns a successful response (likely a JSON object with success: true or a 200 OK with a "1" or similar status).
• The flipbook data in the database is modified despite the request coming from an Author-level account.

8. Verification Steps

1. Check Flipbook Content: Use WP-CLI to view the flipbook post meta or title.
   • wp post get [ID]
   • wp post meta list [ID]
2. Verify Capability: Confirm that the user used for the exploit only has the author role.
   • wp user get attacker_author
3. Confirm Lack of Admin Rights: Verify the Author user cannot normally perform this action through the intended UI (e.g., checking if the menu item is hidden).

9. Alternative Approaches

• Creation vs. Modification: If r3d_save_flipbook is not the target, look for r3d_new_flipbook or r3d_delete_flipbook.
• Global Settings: Check if there is an action like r3d_save_settings that modifies wp_options.
• Injected Script: If the plugin allows HTML/JS in flipbook settings, escalate the "Unauthorized Action" to a Stored XSS by injecting <script>alert(1)</script> into a flipbook setting that an administrator might view. This would elevate the severity.