Skip to main content

DearFlip CVE-2026-49047

| EUVDEUVD-2026-32540 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-g97j-4hmg-j4gx
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:10 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects DearFlip: from n/a through 2.4.27.

AnalysisAI

Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.

Technical ContextAI

DearFlip (by DearHive) is a WordPress plugin providing 3D flipbook functionality. CWE-862 (Missing Authorization) indicates the plugin fails to perform adequate permission or capability checks before granting access to certain plugin operations or data endpoints - a common pattern in WordPress plugins that implement custom AJAX handlers or REST API routes without verifying the caller's WordPress role or capability. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerable endpoint is network-accessible and requires only a low-privileged authenticated user, consistent with a subscriber or contributor-level account being able to invoke otherwise-restricted functionality. Affected versions span all releases up to and including 2.4.27 per EUVD-2026-32540.

RemediationAI

The primary remediation is to update the DearFlip plugin to a version beyond 2.4.27; however, the exact patched version number is not confirmed in the available input data - the fix version should be verified directly against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/3d-flipbook-dflip-lite/vulnerability/wordpress-dearflip-plugin-2-4-27-broken-access-control-vulnerability) and the WordPress plugin repository changelog before updating. If an immediate update is not possible, a compensating control is to restrict registration and limit access to trusted authenticated users only, reducing the pool of accounts that could trigger the missing authorization path - note this does not eliminate the flaw but reduces exposure on sites that do not require open user registration. Additional context is available via VulDB advisory at https://vuldb.com/vuln/366418.

Share

CVE-2026-49047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy