Attack Vectors

CVE-2024-1081 is a medium-severity stored cross-site scripting (XSS) vulnerability (CVSS 6.4) affecting the WordPress plugin 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery (slug: interactive-3d-flipbook-powered-physics-engine) in versions 1.15.3 and earlier.

The issue can be exploited by an authenticated user with Contributor-level access or higher by injecting malicious script into the plugin’s bookmark feature. Because the payload is stored, it can execute later when other users view the affected content—without requiring them to click anything unusual.

This is especially relevant for organizations that allow multiple internal users, contractors, agencies, or partners to create or edit content (common in marketing teams), where Contributor access is often granted for workflow efficiency.

Security Weakness

The vulnerability stems from insufficient input sanitization and output escaping in how the plugin handles bookmark content. In plain terms: the plugin does not consistently clean potentially dangerous input before saving it, and does not reliably neutralize it when displaying it to visitors.

Because this is a stored XSS, the injected code can persist in your WordPress database and run whenever the affected page or flipbook element is rendered, potentially impacting multiple site visitors and administrators over time.

Technical or Business Impacts

While the severity is rated Medium, the business implications can be meaningful because the attacker only needs Contributor+ access and the attack can affect high-value users (marketing admins, site owners, or even customers depending on where the flipbook appears).

Potential impacts include:

Account and session risk: Stored XSS can be used to interfere with how users interact with your site, potentially enabling actions in a logged-in user’s browser session. This can be particularly damaging if an Administrator views the compromised content.

Brand and trust damage: If scripts alter page content, inject unwanted pop-ups, or redirect users, customers may associate the experience with your brand—even if the root cause is a plugin flaw.

Compliance and reporting exposure: If user interactions, form submissions, or analytics tags are manipulated, it can undermine the integrity of marketing attribution and, in some environments, trigger compliance concerns (e.g., unexpected scripts running in user sessions).

Operational disruption: Investigating and cleaning stored script injections takes time and can force page rollbacks or temporary content takedowns, disrupting campaigns and planned launches.

Remediation: Update 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery to version 1.15.4 or newer (patched). See the CVE record: https://www.cve.org/CVERecord?id=CVE-2024-1081. Reference: Wordfence vulnerability advisory.

Similar Attacks

Stored cross-site scripting is a common way attackers turn limited access into broader impact, especially on content-heavy WordPress sites. Examples of major XSS events include:

Twitter XSS bug (2018) that could expose account data

Google fixes a YouTube vulnerability affecting accounts (reported 2020)

Wordfence blog reporting on recurring WordPress plugin XSS patterns