WordPress Plugin Vulnerabilities

3D Flipbook < 1.15.3 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape the Ready Function field, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
interactive-3d-flipbook-powered-physics-engine
Fixed in 1.15.3

References

CVE
CVE-2023-6776
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/500fd8aa-9ad1-41ee-bbeb-cda9c80c4fcb

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
94e2b5a4-d35c-4b8a-a095-8217f554dcc5

Timeline

Publicly Published
2024-01-02 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2025-02-23
Title
Frontend Admin by DynamiApps < 3.25.18 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Demo User DZS – Showcase your admin safely <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-05-31
Title
DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode
Published
2025-04-10
Title
Silvasoft boekhouden <= 3.0.5 - Reflected Cross-Site Scripting
Published
2024-11-18
Title
GoQSmile <= 1.0.1 - Reflected Cross-Site Scripting