CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9849 – 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 4.6 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9849
The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/real3d-flipbook-lite/tags/4.6/includes/plugin-admin.php#L77 https://www.wordfence.com/threat-intel/vulnerabilities/id/1f99b366-1a94-41ed-813a-bb13893604d0?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10965 – Real3D Flipbook <= 1.0.0 - Directory Traversal
https://notcve.org/view.php?id=CVE-2016-10965
The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta un salto de directorio de deleteBook=../ para la eliminación de archivos. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10966 – Real3D Flipbook <= 1.0.0 - File Upload to User Controlled Location
https://notcve.org/view.php?id=CVE-2016-10966
The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta un salto de directorio de bookName=../ para la carga de archivos. The Real3D Flipbook plugin for WordPress is vulnerable to file uploads to user controlled locations due to missing directory validation in the 'bookName' parameter in versions up to, and including, 1.0.0 This makes it possible for attackers to upload files to arbitrary locations on the affected sites server. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10967 – Real3D Flipbook <= 1.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10967
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro bookId del archivo wp-content/plugins/real3d-flipbook/includes/flipbooks.php. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •