The plugin does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators.
Proof of Concept
1. As an administrator, create a 3d FlipBook.
2. Log in as a contributor, and create a post with the following shortcode in it
[3d-flip-book mode='fullscreen' id='1' classes='" onmouseover="alert(1)"']
3. Send the post for review (Publish) and preview the post.