{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5314", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-29T00:24:17.468Z", "datePublished": "2025-07-01T11:27:12.335Z", "dateUpdated": "2026-04-08T17:29:21.005Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:21.005Z"}, "affected": [{"vendor": "dearhive", "product": "Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.65", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the \u2018pdf-source\u2019 parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.3.65 - DOM-Based Reflected Cross-Site Scripting via 'pdf-source'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e316c636-2dd7-4d50-8c99-36f08ecf03ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/libs/pdf.min.js"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.min.js"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.js#L8861"}, {"url": "https://plugins.trac.wordpress.org/changeset/3319013/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Martin Herancourt"}], "timeline": [{"time": "2025-06-30T22:38:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-01T13:48:28.460320Z", "id": "CVE-2025-5314", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-01T13:57:50.512Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-01T13:48:28.460320Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-01T13:55:36.792Z"}}], "cna": {"title": "Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.3.65 - DOM-Based Reflected Cross-Site Scripting via 'pdf-source'", "credits": [{"lang": "en", "type": "finder", "value": "Martin Herancourt"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "dearhive", "product": "Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.65"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-30T22:38:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e316c636-2dd7-4d50-8c99-36f08ecf03ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/libs/pdf.min.js"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.min.js"}, {"url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.js#L8861"}, {"url": "https://plugins.trac.wordpress.org/changeset/3319013/"}], "descriptions": [{"lang": "en", "value": "The Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the \u2018pdf-source\u2019 parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:21.005Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5314", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:21.005Z", "dateReserved": "2025-05-29T00:24:17.468Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-01T11:27:12.335Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the \u2018pdf-source\u2019 parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer para WordPress es vulnerable a ataques Cross-Site Scripting Reflejado Basado en DOM a trav\u00e9s del par\u00e1metro 'pdf-source' en todas las versiones hasta la 2.3.65 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-5314", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-01T12:15:23.950", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.js#L8861"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/dflip.min.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/3d-flipbook-dflip-lite/trunk/assets/js/libs/pdf.min.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3319013/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e316c636-2dd7-4d50-8c99-36f08ecf03ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:56:59.170431+00:00", "value": {"mitigation_remediation": ["Update the Dear Flipbook plugin to version 2.3.66 or later to eliminate the vulnerability", "Configure the WordPress site to enforce a strong Content Security Policy that restricts script execution to trusted sources", "For environments where upgrading immediately is not possible, manually escape or filter the 'pdf-source' parameter in the plugin code to prevent untrusted input from being rendered as script"], "summary": {"action": "Patch", "impact": "DOM-Based Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Dear Flipbook plugin for WordPress up to and including version 2.3.65 are affected. The plugin is distributed by dearhive under the name Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer. Users running any of these versions should verify the installed version and plan an upgrade.", "description_and_impact": "The vulnerability resides in the Dear Flipbook \u2013 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer WordPress plugin and allows an attacker to inject arbitrary script payloads via the 'pdf-source' parameter. Because the plugin performs insufficient input sanitization and output escaping, a crafted URL can produce executable JavaScript in a victim\u2019s browser, enabling classic XSS attacks. The primary impact is the compromise of the affected user\u2019s browser session, which may lead to credential theft, session hijacking or other client\u2011side attacks. This weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.1 places the issue in the medium severity range. The EPSS score is reported as less than 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to persuade a user to visit a malicious link containing a crafted 'pdf-source' value; the vulnerability is therefore a DOM\u2011based reflected XSS that does not require authentication or possession of an admin account. The overall risk is moderate but could be elevated if the plugin is widely used on high\u2011traffic sites."}}}}, "created": "2026-04-21T20:00:25.902520+00:00", "updated": "2026-04-21T20:00:25.902532+00:00", "vendors": []}