LiveActive security incident?Get immediate response
CVE Record

CVE-2016-10967: The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includ...

The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2016-10967 is an XSS issue in the WordPress real3d-flipbook-lite plugin 1.0. A vulnerable site could let attacker-controlled script run in a visitor’s browser through the bookId parameter. The sources do not provide CVSS, patch details, or evidence of active exploitation.

Executive priority

Treat this as a targeted WordPress plugin risk, not a confirmed mass-exploitation emergency. Prioritize if public sites use the plugin, especially sites with authenticated administrators or customer traffic.

Technical view

The CVE record describes cross-site scripting in wp-content/plugins/real3d-flipbook/includes/flipbooks.php through the bookId parameter in real3d-flipbook-lite 1.0. The source bundle does not state whether authentication is required, whether the XSS is reflected or stored, or which later versions fix it.

Likely exposure

Exposure is likely limited to WordPress sites that installed real3d-flipbook-lite 1.0 or retained the vulnerable plugin path. Internet-facing WordPress sites are the main concern. The provided data does not identify affected CPEs or broader product lines.

Exploitation context

A cited public reference is described as an exploit write-up, but the bundle does not include details or confirm real-world exploitation. The CVE is not listed as KEV in the provided data, so active exploitation should not be assumed.

Researcher notes

Evidence is sparse: no CVSS, CWE, CPE, exploit maturity, authentication requirement, or fixed-version data is provided. Validate exposure before escalation, and avoid assuming exploitability beyond the stated bookId XSS condition.

Mitigation direction

  • Inventory WordPress sites for real3d-flipbook-lite and exact installed versions.
  • Check vendor or WordPress plugin guidance for a fixed version or removal recommendation.
  • Disable or remove version 1.0 if no supported fixed release is available.
  • Review WAF rules for generic XSS protection on vulnerable WordPress plugin paths.

Validation and detection

  • Confirm whether wp-content/plugins/real3d-flipbook exists on each WordPress host.
  • Verify plugin version from WordPress admin, filesystem metadata, or deployment inventory.
  • Review web logs for unusual requests to flipbooks.php involving bookId.
  • Test only in an authorized staging environment using safe XSS detection methods.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2016-10967 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.