Stored Cross-Site Scripting in FV Flowplayer Video Player for WordPress
CVE-2026-12135
6.4MEDIUM
What is CVE-2026-12135?
The FV Flowplayer Video Player plugin for WordPress allows authenticated users with contributor-level access to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This occurs through manipulation of the 'align' attribute within the 'video_player' shortcode, coupled with inadequate input sanitization and output escaping for user-supplied attributes. Attackers can insert malicious scripts that, upon page access by other users, execute unintended actions, potentially compromising site security and user data.
Affected Version(s)
FV Flowplayer Video Player 0 <= 7.5.51.7212