CVE-2024-1081 is a stored cross-site scripting vulnerability identified in the 3D FlipBook – PDF Flipbook WordPress plugin developed by iberezansky. This vulnerability exists in all versions up to and including 1.15.3 and is caused by improper neutralization of input during web page generation (CWE-79). Specifically, the plugin's bookmark feature fails to adequately sanitize and escape user-supplied input before rendering it on web pages. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the bookmark data. Because the injected scripts are stored persistently, they execute automatically whenever any user views the affected page, enabling potential attacks such as session hijacking, privilege escalation, or distribution of malware. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the common use of WordPress and the plugin’s popularity. The flaw highlights the importance of rigorous input validation and output encoding in WordPress plugin development to prevent stored XSS attacks.

The impact of CVE-2024-1081 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject malicious scripts that execute in the context of other users’ browsers. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware to visitors. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who access the compromised pages, amplifying the potential damage. Organizations with multiple contributors or editors on their WordPress sites are at higher risk, as attackers only need contributor-level credentials to exploit the flaw. Although availability is not directly impacted, the reputational damage and potential data breaches resulting from exploitation can have severe operational and financial consequences. The vulnerability also increases the attack surface for further exploitation chains, such as pivoting to administrative accounts or injecting phishing content.

To mitigate CVE-2024-1081, organizations should first update the 3D FlipBook – PDF Flipbook WordPress plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling the bookmark feature if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting the plugin’s bookmark inputs can reduce risk. Regularly auditing user-generated content for suspicious scripts and monitoring logs for unusual activity related to bookmark usage is recommended. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Developers maintaining WordPress sites should also review custom input handling and ensure proper sanitization and output encoding consistent with WordPress security best practices. Finally, educating contributors about the risks of injecting untrusted content and enforcing strong authentication controls can further reduce exploitation likelihood.