CVE-2025-5314 is a DOM-Based Reflected Cross-Site Scripting (XSS) vulnerability affecting the Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer WordPress plugin developed by dearhive. This vulnerability exists in all versions up to and including 2.3.65 due to improper neutralization of user input in the 'pdf-source' parameter. Specifically, the plugin fails to adequately sanitize and escape input before incorporating it into web pages, allowing unauthenticated attackers to inject arbitrary JavaScript code. The attack vector involves tricking a user into clicking a crafted link containing malicious script code embedded in the 'pdf-source' parameter. When the victim visits the manipulated page, the injected script executes in their browser context. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, indicating improper input validation during web page generation. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack requires no privileges (AV:N/AC:L/PR:N) but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the vulnerable plugin itself. Confidentiality and integrity impacts are low, and availability is not affected. No known exploits are currently reported in the wild. The vulnerability was published on July 1, 2025, with the initial reservation on May 29, 2025. No patches or fixes have been linked yet, so users of the plugin should be cautious and monitor for updates.

For European organizations using WordPress sites with the Dear Flipbook plugin, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data integrity. Attackers could exploit the vulnerability to steal authentication tokens or perform actions on behalf of users, potentially leading to unauthorized access or data leakage. Although the impact on server availability is negligible, the reputational damage and potential regulatory consequences under GDPR for failing to protect user data could be significant. Organizations with customer-facing websites or intranet portals using this plugin are particularly at risk. The vulnerability is exploitable without authentication but requires user interaction, so phishing or social engineering campaigns could be used to trigger the attack. The medium severity rating suggests that while the risk is not critical, it should be addressed promptly to prevent exploitation, especially in sectors handling sensitive information such as finance, healthcare, and government services.

1. Immediate mitigation involves disabling or removing the Dear Flipbook plugin until a secure patched version is released. 2. Monitor the vendor's official channels and WordPress plugin repository for updates or security patches addressing CVE-2025-5314. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'pdf-source' parameter. 4. Educate users and administrators about the risks of clicking on untrusted links, especially those purporting to reference PDF content on affected sites. 5. Conduct regular security audits and vulnerability scans on WordPress installations to identify vulnerable plugins. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on web pages. 7. Review and harden input validation and output encoding practices in custom plugins or themes to prevent similar issues. 8. Consider isolating or sandboxing PDF viewer functionality to limit the impact of potential script execution.