Stored Cross-Site Scripting Vulnerability in FV Flowplayer Video Player Plugin for WordPress
CVE-2026-7556

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 June 2026

What is CVE-2026-7556?

The FV Flowplayer Video Player plugin for WordPress has a vulnerability that allows for stored cross-site scripting via comment submissions. This occurs due to inadequate input sanitization and output escaping. It enables attackers to inject malicious web scripts into pages, which execute when users interact with the infected comments. The exploit necessitates that an administrator has enabled the 'Parse Vimeo and YouTube links' setting, along with the approval of a comment containing the payload. This security gap underscores the importance of strict input validation and user comment moderation.

Affected Version(s)

FV Flowplayer Video Player 0 <= 7.5.49.7212

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
Youcef Hamdani
.