Cross Site Scripting Vulnerability in FV Flowplayer Video Player by WordPress
CVE-2026-49773

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Fv FloWPlayer Video Player
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49773?

A cross site scripting (XSS) vulnerability has been identified in the FV Flowplayer Video Player plugin for WordPress, affecting versions prior to 7.5.51.7212. This flaw allows attackers to inject malicious scripts into user interactions, potentially compromising user data and leading to unauthorized actions within the application.

Affected Version(s)

FV Flowplayer Video Player < 7.5.51.7212

References

https://patchstack.com/database/wordpress/plugin/fv-wordp...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Jakub Herman | Patchstack Bug Bounty Program

CVE-2026-49773 Data

JSON