CVE-2025-5289 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin suite developed by iberezansky, specifically the 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, and Flipbook Image Gallery plugins. These plugins are widely used to embed and display PDF documents and image galleries in a flipbook style within WordPress sites. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the 'style' and 'mode' parameters are insufficiently sanitized and escaped, allowing an attacker to inject arbitrary JavaScript code that is stored persistently within the plugin's data and executed whenever a user accesses the affected page. This vulnerability affects all versions up to and including 1.16.15 and is limited to WordPress sites using block-based themes. Exploitation requires the attacker to have at least Contributor-level authenticated access to the WordPress site, which is a relatively low privilege level that allows content creation but not administrative control. The vulnerability does not require user interaction once the malicious script is injected, as the payload executes automatically when the page is viewed. The CVSS v3.1 base score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and a scope change due to the potential impact on other users. The impact primarily affects confidentiality and integrity by allowing script execution in the context of the victim's browser, potentially leading to session hijacking, defacement, or further exploitation of the site or its users. No known exploits are currently reported in the wild, and no official patches have been released at the time of this analysis.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress sites with block-based themes and using the affected iberezansky plugins for document or image display. The ability for an authenticated contributor to inject persistent malicious scripts can lead to unauthorized access to sensitive user data, session tokens, or internal resources via browser-based attacks. This can facilitate phishing, credential theft, or lateral movement within the organization's web infrastructure. Public-facing websites, intranets, or customer portals using these plugins are particularly vulnerable, potentially damaging reputation and trust. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but can escalate if attackers gain contributor access through weak credentials or social engineering. The scope change indicates that the vulnerability can affect users beyond the initial attacker, amplifying the impact. Additionally, the lack of patches increases the window of exposure. European organizations in sectors such as finance, healthcare, education, and government, which often use WordPress for content management, may face compliance and regulatory risks if user data is compromised.

1. Immediate mitigation should include restricting Contributor-level access strictly to trusted users and reviewing user roles and permissions to minimize the risk of unauthorized content submission. 2. Disable or remove the affected iberezansky plugins if they are not essential, or replace them with alternative plugins that have no known vulnerabilities. 3. For sites that must continue using these plugins, implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious payloads targeting the 'style' and 'mode' parameters. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 5. Regularly audit and sanitize existing content for malicious scripts, especially in pages created or edited by contributors. 6. Monitor logs for unusual contributor activity or unexpected changes in pages using the affected plugins. 7. Stay alert for official patches or updates from the vendor and apply them promptly once available. 8. Educate content contributors about secure content practices and the risks of injecting untrusted code. These measures go beyond generic advice by focusing on access control tightening, proactive content auditing, and layered defenses specific to the nature of this stored XSS vulnerability.