Security readout for executives and security teams
Plain-English summary
CVE-2016-10967 is an XSS issue in the WordPress real3d-flipbook-lite plugin 1.0. A vulnerable site could let attacker-controlled script run in a visitor’s browser through the bookId parameter. The sources do not provide CVSS, patch details, or evidence of active exploitation.
Executive priority
Treat this as a targeted WordPress plugin risk, not a confirmed mass-exploitation emergency. Prioritize if public sites use the plugin, especially sites with authenticated administrators or customer traffic.
Technical view
The CVE record describes cross-site scripting in wp-content/plugins/real3d-flipbook/includes/flipbooks.php through the bookId parameter in real3d-flipbook-lite 1.0. The source bundle does not state whether authentication is required, whether the XSS is reflected or stored, or which later versions fix it.
Likely exposure
Exposure is likely limited to WordPress sites that installed real3d-flipbook-lite 1.0 or retained the vulnerable plugin path. Internet-facing WordPress sites are the main concern. The provided data does not identify affected CPEs or broader product lines.
Exploitation context
A cited public reference is described as an exploit write-up, but the bundle does not include details or confirm real-world exploitation. The CVE is not listed as KEV in the provided data, so active exploitation should not be assumed.
Researcher notes
Evidence is sparse: no CVSS, CWE, CPE, exploit maturity, authentication requirement, or fixed-version data is provided. Validate exposure before escalation, and avoid assuming exploitability beyond the stated bookId XSS condition.
Mitigation direction
- Inventory WordPress sites for real3d-flipbook-lite and exact installed versions.
- Check vendor or WordPress plugin guidance for a fixed version or removal recommendation.
- Disable or remove version 1.0 if no supported fixed release is available.
- Review WAF rules for generic XSS protection on vulnerable WordPress plugin paths.
Validation and detection
- Confirm whether wp-content/plugins/real3d-flipbook exists on each WordPress host.
- Verify plugin version from WordPress admin, filesystem metadata, or deployment inventory.
- Review web logs for unusual requests to flipbooks.php involving bookId.
- Test only in an authorized staging environment using safe XSS detection methods.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2016-10967 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://wordpress.org/plugins/real3d-flipbook-lite/#developersCVE reference · x_refsource_MISC
- https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit/CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
