CVE-2026-1314
Unauthorized Data Access in 3D FlipBook WordPress Plugin
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-flipbook | 3d_flipbook | to 1.16.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access flipbook page metadata for draft, private, and password-protected flipbooks due to a missing capability check.
This unauthorized access to potentially sensitive or private data could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require proper access controls to protect personal or sensitive information.
Can you explain this vulnerability to me?
The vulnerability exists in the 3D FlipBook β PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress. It is caused by a missing capability check in the send_post_pages_json() function in all versions up to and including 1.16.17.
Because of this missing check, unauthenticated attackers can access and retrieve flipbook page metadata even for draft, private, and password-protected flipbooks.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to access sensitive metadata related to flipbook pages without authentication.
While it does not allow modification or deletion of data, the exposure of metadata from draft, private, and password-protected flipbooks could lead to information disclosure.
The CVSS base score of 5.3 indicates a medium severity impact, primarily affecting confidentiality.