CVE-2025-5289 is a stored cross-site scripting (XSS) vulnerability identified in the iberezansky 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress. The flaw exists due to improper neutralization of input during web page generation, specifically in the handling of the ‘style’ and ‘mode’ parameters. These parameters are not sufficiently sanitized or escaped before being rendered, allowing an attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the vulnerability is stored, the malicious script persists in the plugin’s data and executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.16.15 and is limited to block-based WordPress themes, which use the newer block editor architecture. The CVSS 3.1 score of 6.4 indicates a medium severity, with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and impact on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability’s nature makes it a significant risk for websites using this plugin and theme combination. The issue stems from insufficient input validation and output escaping in the plugin’s codebase, which should be addressed by the vendor through patches or updates.

The impact of CVE-2025-5289 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of other users’ browsers. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since contributors can typically create and edit content but not publish, the risk is elevated if the site’s workflow allows contributors to publish or if editors/admins view the injected content. The vulnerability does not affect availability directly but can severely damage trust and user data security. Organizations relying on this plugin for document display or flipbook functionality on block-based themes are at risk of targeted attacks, especially if they have multiple contributors or less restrictive content publishing workflows. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public. The medium CVSS score reflects moderate risk but should not lead to complacency given the potential for data theft and site compromise.

To mitigate CVE-2025-5289, organizations should immediately update the iberezansky 3D FlipBook plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict contributor-level user permissions to prevent injection of malicious scripts, or temporarily disable the plugin if feasible. Implementing a web application firewall (WAF) with rules to detect and block suspicious payloads in the ‘style’ and ‘mode’ parameters can reduce exploitation risk. Site owners should audit existing content for injected scripts and remove any suspicious code. Additionally, enforcing strict content security policies (CSP) can help mitigate the impact of XSS by restricting script execution sources. Regularly reviewing user roles and permissions to ensure the principle of least privilege is enforced will limit the number of users able to exploit this vulnerability. Monitoring logs for unusual activity related to the plugin’s parameters and user content submissions can provide early detection of attempted exploitation. Finally, educating content contributors about safe practices and the risks of injecting untrusted code is recommended.