CVE-2025-5289: 
WordPress vulnerability analysis and mitigation

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5289) discovered in June 2025. The vulnerability affects all versions up to and including 1.16.15 and is caused by insufficient input sanitization and output escaping of the 'style' and 'mode' parameters. This security issue only affects block-based themes (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM). The security flaw exists due to improper neutralization of input during web page generation, specifically in the handling of 'style' and 'mode' parameters. The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the affected pages (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher privileges to inject malicious web scripts into pages. These scripts will execute whenever any user accesses the compromised pages, potentially leading to session hijacking, data theft, or other client-side attacks (NVD CVE).

The vulnerability has been patched in version 1.16.16 of the plugin. The update includes improved parameter escaping to avoid security issues with some themes. Users are advised to update to the latest version immediately (WordPress Plugin).