Stored Cross-Site Scripting Vulnerability in FV Flowplayer Video Player Plugin for WordPress
CVE-2026-7556
7.2HIGH
What is CVE-2026-7556?
The FV Flowplayer Video Player plugin for WordPress has a vulnerability that allows for stored cross-site scripting via comment submissions. This occurs due to inadequate input sanitization and output escaping. It enables attackers to inject malicious web scripts into pages, which execute when users interact with the infected comments. The exploit necessitates that an administrator has enabled the 'Parse Vimeo and YouTube links' setting, along with the approval of a comment containing the payload. This security gap underscores the importance of strict input validation and user comment moderation.
Affected Version(s)
FV Flowplayer Video Player 0 <= 7.5.49.7212