CVE-2025-5314 identifies a DOM-based reflected Cross-Site Scripting vulnerability in the Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer WordPress plugin developed by dearhive. This vulnerability exists in all versions up to and including 2.3.65 due to insufficient input sanitization and output escaping of the 'pdf-source' URL parameter. When a user is tricked into clicking a specially crafted link containing malicious JavaScript in this parameter, the script executes in the context of the victim's browser. This can lead to theft of sensitive information such as session cookies, user impersonation, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS attacks.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within affected WordPress sites using the Dear Flipbook plugin. Attackers can execute arbitrary scripts in the context of a victim's browser, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user without their consent. This can lead to account compromise, data leakage, and erosion of user trust. While availability is not directly affected, successful exploitation can facilitate further attacks or phishing campaigns. Organizations relying on this plugin for document display or embedding risk exposure of their users to targeted XSS attacks, especially if users are not security-aware. The vulnerability's requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in environments with high user traffic or where social engineering is feasible.

To mitigate this vulnerability, organizations should immediately upgrade the Dear Flipbook plugin to a patched version once available. In the absence of an official patch, administrators can implement strict input validation and output encoding for the 'pdf-source' parameter, ensuring all user-supplied data is properly sanitized before rendering. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious query parameters containing script tags or JavaScript payloads can provide interim protection. Additionally, enabling Content Security Policy (CSP) headers to restrict script execution sources can reduce the risk of XSS exploitation. Educating users to avoid clicking on suspicious links and monitoring web server logs for unusual requests targeting the 'pdf-source' parameter can help detect attempted exploits. Regular security audits and vulnerability scanning of WordPress plugins should be part of ongoing security hygiene.