CVE-2025-69019 – This DOM-based cross-site scripting vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-69019?

CVE-2025-69019 has a CVSS score of 6.5 (MEDIUM). This DOM-based cross-site scripting vulnerability in the FlippingBook WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the FlippingBook plugin, potentially compromising user sessions and data. The vulnerability exists in versions up to and including 2.0.1.

📋 TL;DR

This DOM-based cross-site scripting vulnerability in the FlippingBook WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the FlippingBook plugin, potentially compromising user sessions and data. The vulnerability exists in versions up to and including 2.0.1.

💻 Affected Systems

Products:

FlippingBook WordPress Plugin

Versions: n/a through <= 2.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the FlippingBook plugin enabled. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Session hijacking, cookie theft, and credential harvesting from users visiting compromised pages.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are implemented at the web application level.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

DOM-based XSS typically requires user interaction but can be exploited through crafted links or stored payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >2.0.1

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/flippingbook/vulnerability/wordpress-flippingbook-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FlippingBook plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin until patched version is released.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

Disable Plugin

all

Temporarily disable the vulnerable plugin

wp plugin deactivate flippingbook
Or via WordPress admin: Plugins > Installed Plugins > FlippingBook > Deactivate

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads
Restrict plugin access to trusted users only through authentication

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel: Plugins > Installed Plugins, find FlippingBook and check version number

Check Version:

wp plugin list --name=flippingbook --field=version

Verify Fix Applied:

Verify plugin version is >2.0.1 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in web server logs
Multiple requests to same page with suspicious parameters

Network Indicators:

HTTP requests containing script tags or JavaScript in parameters
Unusual outbound connections from user browsers

SIEM Query:

source="web_server" AND (uri="*<script*" OR uri="*javascript:*" OR params="*<script*" OR params="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-69019

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: December 30, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/flippingbook/vulnerability/wordpress-flippingbook-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69019, you might also want to check these: