CVE-2025-39509: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in ThemeNcode TNC FlipBook WordPress plugin affecting versions through 12.1.0. The vulnerability was disclosed on May 16, 2025, and assigned identifier CVE-2025-39509. This security issue has been classified as an Improper Neutralization of Input During Web Page Generation vulnerability (Wiz, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The exploitation requires low privileges and user interaction, with the attacker needing Contributor-level access or higher to the WordPress installation (Wiz, NVD).

If successfully exploited, this stored XSS vulnerability could enable attackers to inject malicious scripts that would be executed when users visit the affected pages. The potential consequences include theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (Wiz, Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Users of the TNC FlipBook plugin should monitor for updates and consider implementing additional security controls or temporarily disabling the plugin if the risk is deemed too high (Wiz, Patchstack).