CVE-2026-1314
published 2026-04-15CVE-2026-1314: The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing…
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.89%
54.9th percentile
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | 1.0.7 – 1.1.4 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xmhp-j3xp-gmh4: The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a
ghsa_unreviewed·2026-04-22
CVE-2026-1314 [MEDIUM] CWE-862 GHSA-xmhp-j3xp-gmh4: The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.
GHSA
goshs is Missing Write Protection for Parametric Data Values
ghsa·2026-04-10
CVE-2026-40188 [HIGH] CWE-1314 goshs is Missing Write Protection for Parametric Data Values
goshs is Missing Write Protection for Parametric Data Values
### Summary
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
### Details
Here is the issue:
```go
// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {
fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED
if err != nil {
return err
}
switch r.Method {
// ...
case "Rename":
err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!
```
### PoC
To exploit just upload a file on the SFTP and rename it to a file with full path.
Currently no key.txt file inside /tmp
``` bash
$ ls key.txt
ls: key.txt: No such file or directory
```
Start the SFTP serve
No detection rules found.
Nuclei
WordPress 3D FlipBook <= 1.16.17 - Information Disclosure
nuclei·CVSS 5.3
CVE-2026-1314 [MEDIUM] WordPress 3D FlipBook <= 1.16.17 - Information Disclosure
WordPress 3D FlipBook <= 1.16.17 - Information Disclosure
WordPress 3D FlipBook - PDF Flipbook Viewer, Flipbook Image Gallery plugin versions <= 1.16.17 contain a missing authorization vulnerability in multiple AJAX endpoints. The fb3d_send_posts_in, fb3d_send_post_pages, fb3d_send_posts_in_pages, fb3d_send_posts_in_first_page, and fb3d_send_post_first_page handlers are registered with wp_ajax_nopriv hooks but fail to verify the post status of requested flipbook entries. This allows unauthenticated attackers to retrieve full metadata, PDF URLs, and configuration data of private, draft, and password-protected flipbook posts.
Template:
id: CVE-2026-1314
info:
name: WordPress 3D FlipBook <= 1.16.17 - Information Disclosure
author: theamanrawat
severity: medium
description: |
WordPress 3D
No writeups or analysis indexed.
2026-04-15
Published