Login Sign Up

CVE-2012-6652

9.8 CRITICAL

📋 TL;DR

This vulnerability allows remote attackers to perform directory traversal via the pageflipbook_language parameter in the Page Flip Book WordPress plugin. Attackers can include and execute arbitrary local files on the server, potentially leading to remote code execution. WordPress sites using the vulnerable plugin are affected.

💻 Affected Systems

Products:
  • WordPress Page Flip Book Plugin (wppageflip)
Versions: All versions prior to fix
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin active.

📦 What is this software?

Page Flip Book by Page Flip Book Project

View all CVEs affecting Page Flip Book →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing attackers to read sensitive files like configuration files, potentially leading to credential theft.

🟢

If Mitigated

Limited impact if proper file permissions and web server configurations restrict file access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple directory traversal attack requiring minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - plugin appears abandoned

Vendor Advisory: https://wordpress.org/support/topic/pageflipbook-pageflipbook_language-parameter-local-file-inclusion/

Restart Required: No

Instructions:

1. Remove the Page Flip Book plugin entirely. 2. Delete all plugin files from wp-content/plugins/wppageflip. 3. Consider alternative page flip plugins.

🔧 Temporary Workarounds

Input Validation

all

Add input validation to restrict pageflipbook_language parameter to allowed values only

Edit pageflipbook.php to validate language parameter against whitelist

Web Server Restrictions

all

Configure web server to block directory traversal attempts

Add mod_security rules or equivalent WAF rules

🧯 If You Can't Patch

  • Disable or remove the Page Flip Book plugin immediately
  • Implement web application firewall with directory traversal protection

🔍 How to Verify

Check if Vulnerable:

Check if wp-content/plugins/wppageflip directory exists and contains pageflipbook.php

Check Version:

Not applicable - plugin appears abandoned

Verify Fix Applied:

Confirm wppageflip directory is removed from wp-content/plugins

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '..' or '../' in pageflipbook_language parameter
  • Multiple failed attempts to access sensitive files

Network Indicators:

  • Unusual file access patterns via pageflipbook.php

SIEM Query:

web.url:*pageflipbook.php* AND web.param:*..*

📊 Metadata

CVE ID: CVE-2012-6652
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: May 13, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-6652, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)