3D FlipBook Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via Bookmark URL – CVE-2024-3883 | WordPress Plugin Vulnerability Report

Plugin Name: 3D FlipBook

Key Information:

  • Software Type: Plugin
  • Software Slug: interactive-3d-flipbook-powered-physics-engine
  • Software Status: Active
  • Software Author: iberezansky
  • Software Downloads: 1,595,226
  • Active Installs: 70,000
  • Last Updated: May 1, 2024
  • Patched Versions: 1.15.5
  • Affected Versions: <= 1.15.4

Vulnerability Details:

  • Name: 3D FlipBook <= 1.15.4 - Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-3883
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 1, 2024
  • Researcher: Tim Coen
  • Description: The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Bookmark URL field in all versions up to, and including, 1.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The 3D FlipBook plugin for WordPress has a vulnerability in versions up to and including 1.15.4 that allows authenticated attackers with author-level access and above to inject arbitrary web scripts in pages via the Bookmark URL field due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 1.15.5.

Detailed Overview:

The vulnerability was discovered by researcher Tim Coen and publicly published on May 1, 2024. The vulnerability resides in the Bookmark URL field, where an attacker with author-level access or higher can inject malicious scripts that will execute whenever a user accesses an injected page. This vulnerability poses a risk to websites using the affected versions of the plugin, as it can be exploited to perform various malicious activities, such as stealing user data or redirecting users to malicious websites.

Advice for Users:

  1. Immediate Action: Users are strongly encouraged to update the 3D FlipBook plugin to version 1.15.5 or later to ensure their WordPress installations are secure.
  2. Check for Signs of Vulnerability: Users should review their website for any suspicious or unexpected content, particularly in pages utilizing the 3D FlipBook plugin.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.15.5 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/interactive-3d-flipbook-powered-physics-engine

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/interactive-3d-flipbook-powered-physics-engine/3d-flipbook-1154-authenticated-author-stored-cross-site-scritping-via-bookmark-url

Detailed Report:

In the fast-paced world of web security, staying vigilant and keeping your WordPress site up to date is crucial. As a small business owner, you may not have the time to constantly monitor for security threats, but neglecting to do so can put your website and its users at risk. Today, we'd like to bring your attention to a recently discovered vulnerability in the popular 3D FlipBook plugin for WordPress and provide you with the information and tools necessary to protect your site.

Plugin Details:

The 3D FlipBook plugin, developed by iberezansky, is a widely-used tool for creating interactive 3D flipbooks on WordPress sites. With over 1.5 million downloads and 70,000 active installations, it's a popular choice among website owners looking to enhance their user experience.

Vulnerability Details:

On May 1, 2024, researcher Tim Coen publicly disclosed a vulnerability in the 3D FlipBook plugin. The vulnerability, identified as CVE-2024-3883, affects all versions of the plugin up to and including 1.15.4. It allows authenticated attackers with author-level access and above to inject arbitrary web scripts into pages via the Bookmark URL field due to insufficient input sanitization and output escaping.

Risks and Potential Impacts:

The 3D FlipBook vulnerability poses a significant risk to websites using the affected versions of the plugin. If exploited, attackers can inject malicious scripts that execute whenever a user accesses an injected page. This can lead to various malicious activities, such as stealing user data, redirecting users to malicious websites, or compromising the overall security of your WordPress site.

Remediation Steps:

To protect your WordPress site from the 3D FlipBook vulnerability, follow these steps:

  1. Update the 3D FlipBook plugin to version 1.15.5 or later immediately.
  2. Review your website for any suspicious or unexpected content, particularly in pages utilizing the 3D FlipBook plugin.
  3. Consider using alternative plugins that offer similar functionality as a precaution.
  4. Ensure that all your WordPress plugins and themes are updated to their latest versions to minimize the risk of vulnerabilities.

Previous Vulnerabilities:

It's worth noting that the 3D FlipBook plugin has had a history of vulnerabilities. Since February 2022, four other vulnerabilities have been discovered and patched. This underscores the importance of staying informed about the plugins you use and promptly applying security updates as they become available.

Conclusion:

As a small business owner, the security of your WordPress site should be a top priority. By staying informed about the latest vulnerabilities, such as the one found in the 3D FlipBook plugin, and taking prompt action to update your plugins and themes, you can significantly reduce the risk of falling victim to cyber attacks. We understand that managing a website on top of running a business can be overwhelming, but neglecting security can have serious consequences.

If you're unsure about how to proceed or need assistance in securing your WordPress site, don't hesitate to seek help from professionals. Investing in the security of your website is investing in the success and longevity of your business. Stay vigilant, keep your site updated, and prioritize the safety of your users' data. Together, we can create a safer online environment for everyone.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

3D FlipBook Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via Bookmark URL – CVE-2024-3883 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment