3D FlipBook - Security, Draft Preview, and Gutenberg Block Migration for 3D FlipBook Lite (v1.16.19)

Hi 3D FlipBook Team,

I reviewed the plugin and identified several issues affecting security and editor compatibility.

Main findings:

Gutenberg has been the native WordPress editor since December 2018, yet the plugin CPT does not support it. The root cause is that REST support and the editor feature were missing from the CPT registration, causing WordPress to silently fall back to the classic editor for all flipbook posts. Draft/PDF loading is inconsistent due to publish-only filtering in AJAX flows for non-editor users. Potential admin XSS sink: raw HTML/JS output in admin notice rendering. Unsafe deserialization pattern: multiple unserialize calls on DB values without strict class restrictions. Authorization checks rely on role-name logic instead of capability checks. Some SQL is partially built via concatenation instead of fully prepared statements. save_post handling lacks explicit capability and post-type guards (defense-in-depth gap).

Requested Gutenberg direction:

Adding a native Gutenberg block is the right direction so options live in block controls (Inspector) instead of legacy metabox UX.

Recommended migration approach: Keep reading existing post meta for backward compatibility. Store new editor settings via REST-exposed meta and/or block attributes. Migrate gradually so existing flipbooks keep working without data loss.

Recommended priority:

XSS and unsafe deserialization hardening Capability-based authorization refactor Draft preview permission model SQL hardening and save handler guards Gutenberg block rollout with backward-compatible data migration

Tip: For best results, scan your code with an AI tool such as Copilot.

I'm looking forward to seeing these improvements implemented in a future release.