3D FlipBook Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks – CVE-2024-1081 | WordPress Plugin Vulnerability Report
Plugin Name: 3D FlipBook
Key Information:
- Software Type: Plugin
- Software Slug: interactive-3d-flipbook-powered-physics-engine
- Software Status: Active
- Software Author: iberezansky
- Software Downloads: 1,524,371
- Active Installs: 70,000
- Last Updated: February 20, 2024
- Patched Versions: 1.15.4
- Affected Versions: <= 1.15.3
Vulnerability Details:
- Name: 3D FlipBook – PDF Flipbook WordPress <= 1.15.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-1081
- CVSS Score: 6.4 (Medium)
- Publicly Published: February 20, 2024
- Researcher: Muhammad Daffa
- Description: The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The 3D FlipBook for WordPress has a vulnerability in versions up to and including 1.15.3 that allows authenticated users with Contributor+ level access to inject malicious JavaScript that will execute when pages are viewed. This vulnerability has been patched in version 1.15.4.
Detailed Overview:
Researcher Muhammad Daffa disclosed the vulnerability in the bookmark feature wherein insufficient input sanitization allows attackers to inject arbitrary JavaScript that is stored and later executed when bookmarked pages are accessed by victims. This creates significant risk, as attackers could steal session cookies, install crypto miners, extract data, or otherwise compromise site security and integrity. Users are advised to update immediately to version 1.15.4, which resolves this vulnerability by properly sanitizing input.
Advice for Users:
- Immediate Action: Update to version 1.15.4 as soon as possible.
- Check for Signs of Vulnerability: Review page code and bookmarks for unauthorized code injections. Clear malicious entries.
- Alternate Plugins: Consider PDF flipbook plugins like WP PDF Book for now.
- Stay Updated: Enable auto-updates for plugins to receive security fixes when available.
Conclusion:
The quick fix provided by the 3D FlipBook developers underscores the importance of updating plugins. Users should ensure they are running version 1.15.4 or higher in order to protect their sites from stored XSS attacks.
References:
Detailed Report:
Staying on top of website security is a never-ending task. New vulnerabilities in web software are constantly being discovered, underscoring the importance of timely updates. Recently a dangerous vulnerability was revealed in a popular WordPress plugin, putting thousands of websites at risk.
The 3D FlipBook plugin, installed on over 70,000 WordPress sites, was found to have a flaw allowing attackers to inject malicious code into pages. This “stored cross-site scripting” vulnerability enables hackers to compromise site security and user data. Without the latest security update, WordPress sites using this plugin are extremely vulnerable.
About the Affected Plugin
3D FlipBook is a widely-used plugin that enables PDF uploads and displays content in an interactive 3D animated interface. The plugin has over 1.5 million downloads and 70,000 active installs. It is actively maintained by author iberezansky, with the latest update released on February 20, 2024.
Details of the Vulnerability
Researcher Muhammad Daffa disclosed a stored cross-site scripting (XSS) vulnerability affecting 3D FlipBook versions up to and including 1.15.3. The vulnerability exists in the bookmark feature due to insufficient input sanitization.
This enables attackers with contributor-level access or higher to inject arbitrary JavaScript that gets stored and executed when bookmarked pages are viewed by victims. No user interaction is required beyond viewing compromised pages.
Risks and Impacts
Successful exploitation of this vulnerability poses severe risks, enabling attackers to carry out various malicious activities like:
- Stealing session cookies and taking over user accounts
- Installing cryptojackers to mine cryptocurrency
- Extracting sensitive user data stored in databases
- Injecting content and defacing sites
- Redirecting pages to harmful third-party sites
How to Update and Fix
The developers of 3D FlipBook have addressed this vulnerability in version 1.15.4. Users are strongly advised to update as soon as possible. The following remediation steps will help secure your WordPress site:
- Back up your site and database
- Update the 3D FlipBook plugin to the latest secure version
- Check existing bookmarks for unauthorized code and remove as needed
- Consider toggling to other PDF flipbook plugins for added security
Previous Vulnerabilities
This is the fourth vulnerability uncovered in the 3D FlipBook plugin since February 2022. Keeping software updated takes continued vigilance, but is necessary for mitigating risks.
Conclusion
For small business owners without the bandwidth to monitor everything, the key takeaway is maintaining awareness and enabling auto-updates whenever possible. Lean on managed IT services providers to help apply security best practices as well. By leveraging available resources, you can better defend your online assets from modern cyberthreats.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.