PDF Flipbook, 3D Flipbook Vulnerability– DearFlip – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0895 | WordPress Plugin Vulnerability Report 

Plugin Name: PDF Flipbook, 3D Flipbook – DearFlip

Key Information:

  • Software Type: Plugin
  • Software Slug: 3d-flipbook-dflip-lite
  • Software Status: Active
  • Software Author: dearhive
  • Software Downloads: 1,178,266
  • Active Installs: 100,000
  • Last Updated: February 8, 2024
  • Patched Versions: 2.2.27
  • Affected Versions: <= 2.2.26

Vulnerability Details:

  • Name: PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CVE: CVE-2024-0895
  • CVSS Score: 5.4
  • Publicly Published: February 2, 2024
  • Researcher: Muhammad Daffa
  • Description: The PDF Flipbook, 3D Flipbook – DearFlip plugin for WordPress, known for transforming PDFs into interactive 3D flipbooks, harbors a vulnerability in its outline settings. This flaw, present in all versions up to 2.2.26, stems from inadequate input sanitization and output escaping, allowing attackers with contributor-level permissions or higher to inject malicious scripts. These scripts can then be executed by users who access the compromised pages, posing a significant risk to site integrity and user security.


The PDF Flipbook, 3D Flipbook – DearFlip plugin is an integral tool for many WordPress sites aiming to enhance user engagement with interactive 3D flipbooks. However, versions up to and including 2.2.26 contain a Stored Cross-Site Scripting vulnerability, exposing sites to potential security breaches. Thankfully, this critical issue has been resolved in version 2.2.27.

Detailed Overview:

This vulnerability was identified by cybersecurity researcher Muhammad Daffa, highlighting the ever-present need for rigorous security measures in plugin development. By exploiting the plugin's outline settings, attackers can embed harmful scripts that are executed when users interact with the compromised flipbook, leading to unauthorized access or data leaks. The swift release of a patch underscores the developer's commitment to user safety and the importance of maintaining up-to-date software.

Advice for Users:

  • Immediate Action: Ensure your site is running DearFlip version 2.2.27 or later to eliminate this vulnerability.
  • Check for Signs of Vulnerability: Regularly inspect your site for unexpected content changes or user reports of suspicious behavior, which may indicate exploitation.
  • Alternate Plugins: While the DearFlip plugin now has a patch, exploring alternative flipbook plugins can provide backup options should future vulnerabilities arise.
  • Stay Updated: Consistently updating all WordPress plugins and themes is crucial in safeguarding against known vulnerabilities and enhancing site security.


The prompt response by DearFlip's developers in addressing this vulnerability highlights the critical role that timely software updates play in web security. By upgrading to the patched version, users can protect their WordPress installations from potential exploits. This incident serves as a valuable reminder of the importance of vigilance and proactive measures in maintaining a secure online presence.


In an era where digital presence is synonymous with brand identity, the revelation of a vulnerability within the widely-used "PDF Flipbook, 3D Flipbook – DearFlip" WordPress plugin, designated as CVE-2024-0895, casts a spotlight on the perpetual battle for cybersecurity. This plugin, acclaimed for transforming mundane PDFs into interactive 3D flipbooks, is now at the heart of a security predicament that could potentially endanger countless websites and their users.

About the Plugin:

"PDF Flipbook, 3D Flipbook – DearFlip," developed by dearhive, stands as a cornerstone for over 100,000 websites, offering an engaging way to present content. With more than 1.1 million downloads, its impact is undeniable, making the security flaw not just a technical glitch but a widespread concern.

Vulnerability Details:

CVE-2024-0895 exposes a critical Stored Cross-Site Scripting (XSS) flaw within the plugin's outline settings, attributable to insufficient input sanitization and output escaping. This vulnerability empowers individuals with contributor-level access to embed malicious scripts, which can be executed unknowingly by users, compromising site and user security.

Risks and Potential Impacts:

The risks associated with this vulnerability are multifaceted, ranging from unauthorized data access and manipulation to the erosion of user trust. For businesses, the implications extend beyond mere technical repair to potential reputational damage, making swift action imperative.

Remediation Steps:

To mitigate this threat, website owners must promptly update to the patched version, 2.2.27, effectively closing the security gap. Additionally, regular audits for unexpected site changes and user activity can preempt further exploitation, ensuring the website remains a secure fortress for its visitors.

Historical Context:

This is not the plugin's first security rodeo; a previous vulnerability had been flagged back on September 15, 2021, underscoring the ongoing necessity for vigilance in the digital domain.

Concluding Thoughts:

For small business owners juggling myriad responsibilities, the notion of staying abreast of every security update might seem daunting. Yet, the reality of today's digital landscape dictates that cybersecurity is not just a technical issue but a foundational aspect of business integrity. The case of CVE-2024-0895 serves as a poignant reminder that in the digital realm, proactive security measures are not just advisable but essential for safeguarding your digital assets against the relentless tide of cyber threats. Leveraging managed WordPress hosting services or employing automated security solutions can alleviate the burden, ensuring that your website remains secure, resilient, and trusted by your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

PDF Flipbook, 3D Flipbook Vulnerability– DearFlip – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0895 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment