CVE-2026-1314: WordPress 3D FlipBook Info Disclosure Flaw

CVE-2026-1314 Overview

CVE-2026-1314 is a missing authorization vulnerability [CWE-862] in the 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress. The flaw resides in the send_post_pages_json() function, which lacks a capability check. Unauthenticated attackers can invoke the function over the network to retrieve flipbook page metadata for draft, private, and password-protected flipbooks. The issue affects all plugin versions up to and including 1.16.17. Exploitation does not require user interaction or privileges, but impact is limited to confidentiality of metadata.

Critical Impact
Unauthenticated remote attackers can enumerate metadata from non-public flipbooks, exposing content intended to remain restricted.

Affected Products

3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress
All versions through 1.16.17
WordPress sites using the affected plugin in default configuration

Discovery Timeline

2026-04-15 - CVE-2026-1314 published to NVD
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-1314

Vulnerability Analysis

The vulnerability stems from broken access control in the plugin's AJAX handler send_post_pages_json(). The handler returns page metadata for flipbook posts but does not verify the caller's capabilities or post visibility before responding. As a result, content that WordPress would otherwise gate behind authentication, password prompts, or draft status becomes accessible through a direct request.

The weakness maps to [CWE-862: Missing Authorization]. Flipbook posts in draft, private, and password-protected states are intended to remain hidden from anonymous visitors. The plugin treats the JSON endpoint as public, so it bypasses the visibility controls enforced by the WordPress core post query layer.

The EPSS data for this CVE indicates a relatively elevated likelihood of exploitation attempts compared to baseline. Authentication is not required, and the attack runs over standard HTTP(S).

Root Cause

The send_post_pages_json() function is registered as a WordPress AJAX action accessible to unauthenticated users. The handler accepts a post identifier and returns page metadata without calling current_user_can(), without validating the post status, and without honoring the password protection state of the target post. The absence of these checks is the direct root cause.

Attack Vector

An attacker sends a crafted HTTP request to the plugin's AJAX endpoint with a target flipbook post identifier. The server invokes send_post_pages_json(), which returns JSON metadata describing the flipbook pages regardless of post visibility. By iterating through post IDs, an attacker can enumerate draft and private flipbooks and harvest metadata from password-protected content. No credentials, tokens, or user interaction are required.

The vulnerability manifests in the AJAX handler registration and response logic. See the Wordfence Vulnerability Report and the WordPress Changeset 3467608 for the corrected capability and visibility checks.

Detection Methods for CVE-2026-1314

Indicators of Compromise

Unauthenticated POST or GET requests to admin-ajax.php referencing the 3D FlipBook plugin's send_post_pages_json action.
Bursts of sequential requests enumerating post IDs against the same AJAX action from a single source IP.
HTTP 200 responses returning JSON page metadata for posts whose status is draft, private, or password-protected.

Detection Strategies

Inspect web server and WordPress access logs for requests containing action=send_post_pages_json originating from unauthenticated sessions.
Correlate request volume per source IP against the AJAX endpoint to surface enumeration patterns.
Compare AJAX response payloads against the published status of referenced posts to identify metadata leakage of non-public content.

Monitoring Recommendations

Forward WordPress and reverse proxy logs to a centralized analytics platform and alert on anonymous access to admin-ajax.php actions tied to the plugin.
Track plugin inventory across WordPress estates to flag installations of the 3D FlipBook plugin at version 1.16.17 or earlier.
Monitor for outbound enumeration patterns and unusual JSON response sizes from the plugin endpoint.

How to Mitigate CVE-2026-1314

Immediate Actions Required

Update the 3D FlipBook plugin to the version released after 1.16.17 that includes the fix from WordPress Changeset 3467608.
Audit existing draft, private, and password-protected flipbooks for sensitive metadata that may have been exposed.
Restrict access to admin-ajax.php at the web application firewall to block anonymous calls to the vulnerable action until patching completes.

Patch Information

The vendor addressed the vulnerability in a release subsequent to 1.16.17. The patch adds the required capability and post visibility validation to send_post_pages_json(). Refer to WordPress Changeset 3467608 for the source-level fix and the Wordfence Vulnerability Report for advisory details.

Workarounds

Deploy a WAF rule that blocks unauthenticated requests where the action parameter equals send_post_pages_json.
Temporarily deactivate the 3D FlipBook plugin on sites that rely on draft, private, or password-protected flipbooks until the update is applied.
Move sensitive flipbook content to alternate gated delivery mechanisms while the plugin remains unpatched.

bash

# Example ModSecurity rule to block anonymous access to the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,deny,status:403,id:1026131401,msg:'Block CVE-2026-1314 3D FlipBook send_post_pages_json'"
    SecRule ARGS:action "@streq send_post_pages_json" \
        "chain"
        SecRule &REQUEST_COOKIES:wordpress_logged_in "@eq 0"