WordPress Plugin Vulnerabilities

DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.28 - Missing Authorization

Description

The DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.4.28. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
3d-flipbook-dflip-lite
No known fix

References

CVE
CVE-2026-49047
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3146b41-27d5-465d-a9ec-af4c50a0d612

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
timomangcut
Verified
No
WPVDB ID
50fce13a-28c6-411d-a534-9cf7e8893dea

Timeline

Publicly Published
2026-05-27 (about 9 days ago)
Added
2026-06-01 (about 3 days ago)
Last Updated
2026-06-02 (about 2 days ago)

Other

Published
Title
Published
2025-12-11
Title
Masker for Elementor <= 1.1.4 - Missing Authorization
Published
2025-06-05
Title
Wordapp <= 1.7.0 - Missing Authorization
Published
2025-05-27
Title
WP-Lister Lite for eBay < 3.8.5 - Missing Authorization
Published
2025-07-23
Title
Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition < 4.03.33 - Unauthenticated Login Token Generation to Authentication Bypass
Published
2025-03-27
Title
Conversios.io < 7.2.4 - Missing Authorization