CVE-2026-1314

MEDIUM NUCLEI

3D FlipBook <= 1.16.17 - Unauthenticated Data Access via send_post_pages_json()

Title source: llm

Exploitation Summary

CVE-2026-1314 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.

Nuclei Templates (1)

WordPress 3D FlipBook <= 1.16.17 - Information Disclosure

MEDIUMVERIFIEDby theamanrawat

Shodan: http.html:"/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/"

FOFA: body="/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/"

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e41753-2dbf-4afa-b61e-e617be2c4dc2?source=cve

https://plugins.trac.wordpress.org/changeset/3467608/

Scores

CVSS v3 5.3

EPSS 0.0232

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

iberezansky/3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery < 1.16.17

Published Apr 15, 2026

Tracked Since Apr 15, 2026