CVE-2026-1314: Data Access in 3D FlipBook WordPress Plugin
Platform
wordpress
Component
interactive-3d-flipbook-powered-physics-engine
Fixed in
1.16.18
CVE-2026-1314 describes a data access vulnerability within the 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress. This flaw allows unauthenticated attackers to retrieve sensitive flipbook page metadata, potentially exposing confidential information. The vulnerability impacts versions up to 1.16.17, and a patch is available in version 1.16.18.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2026-1314 is the unauthorized disclosure of flipbook page metadata. This metadata could include sensitive information contained within the flipbooks themselves, such as confidential documents, proprietary designs, or personal data. An attacker could systematically enumerate flipbooks, identifying those containing valuable or sensitive information. While direct access to the flipbook content isn't granted, the metadata leakage can provide valuable reconnaissance data for further attacks, potentially leading to more targeted exploits. The blast radius extends to any WordPress site utilizing the vulnerable plugin, particularly those hosting flipbooks containing sensitive data.
Exploitation Context
CVE-2026-1314 was published on April 15, 2026. Its severity is pending further evaluation, but the potential for data disclosure warrants attention. No public proof-of-concept exploits are currently known. It is not listed on KEV or EPSS. Given the plugin's popularity and the ease of exploitation, active campaigns are possible, though currently unconfirmed.
Threat Intelligence
Exploit Status
EPSS
0.05% (14% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- None — no availability impact. Service remains fully operational.
Weakness Classification (CWE)
Timeline
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-1314 is to immediately upgrade the 3D FlipBook plugin to version 1.16.18 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the plugin's API endpoints. While a WAF rule cannot directly prevent the vulnerability, it can be configured to block suspicious requests targeting the sendpostpages_json() function. There are no specific Sigma or YARA rules available for this vulnerability, but monitoring for unusual API requests to the plugin is recommended. After upgrading, verify the fix by attempting to access flipbook metadata without authentication; successful access indicates the vulnerability persists.
How to fix
Update to version 1.16.18, or a newer patched version
Frequently asked questions
What is CVE-2026-1314 — Data Access in 3D FlipBook WordPress Plugin?
CVE-2026-1314 is a medium severity vulnerability affecting the 3D FlipBook WordPress plugin, allowing unauthenticated attackers to retrieve flipbook metadata. It impacts versions up to 1.16.17.
Am I affected by CVE-2026-1314 in 3D FlipBook WordPress Plugin?
You are affected if your WordPress site uses the 3D FlipBook plugin version 1.16.17 or earlier. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-1314 in 3D FlipBook WordPress Plugin?
Upgrade the 3D FlipBook plugin to version 1.16.18 or later. If immediate upgrade isn't possible, restrict access to the plugin's API endpoints.
Is CVE-2026-1314 being actively exploited?
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests potential for future attacks.
Where can I find the official 3D FlipBook advisory for CVE-2026-1314?
Refer to the official 3D FlipBook plugin website or the WordPress plugin repository for the latest advisory and update information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...