Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects DearFlip: from n/a through 2.4.27.
AnalysisAI
Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.
Technical ContextAI
DearFlip (by DearHive) is a WordPress plugin providing 3D flipbook functionality. CWE-862 (Missing Authorization) indicates the plugin fails to perform adequate permission or capability checks before granting access to certain plugin operations or data endpoints - a common pattern in WordPress plugins that implement custom AJAX handlers or REST API routes without verifying the caller's WordPress role or capability. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerable endpoint is network-accessible and requires only a low-privileged authenticated user, consistent with a subscriber or contributor-level account being able to invoke otherwise-restricted functionality. Affected versions span all releases up to and including 2.4.27 per EUVD-2026-32540.
RemediationAI
The primary remediation is to update the DearFlip plugin to a version beyond 2.4.27; however, the exact patched version number is not confirmed in the available input data - the fix version should be verified directly against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/3d-flipbook-dflip-lite/vulnerability/wordpress-dearflip-plugin-2-4-27-broken-access-control-vulnerability) and the WordPress plugin repository changelog before updating. If an immediate update is not possible, a compensating control is to restrict registration and limit access to trusted authenticated users only, reducing the pool of accounts that could trigger the missing authorization path - note this does not eliminate the flaw but reduces exposure on sites that do not require open user registration. Additional context is available via VulDB advisory at https://vuldb.com/vuln/366418.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32540
GHSA-g97j-4hmg-j4gx