CVE-2026-7556
Received Received - Intake
Stored XSS in FV Flowplayer Video Player WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-7556
EUVD
EUVD-2026-35292
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fv_flowplayer video_player to 7.5.49.7212 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The FV Flowplayer Video Player plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 7.5.49.7212. This vulnerability arises because the plugin does not properly sanitize input or escape output in comment text.

An unauthenticated attacker can exploit this by injecting malicious web scripts into comments. These scripts execute whenever a user views the affected page.

Exploitation requires that an administrator has enabled the non-default 'Parse Vimeo and YouTube links' setting and that the malicious comment is approved by an administrator before it becomes publicly visible.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary scripts in the context of users visiting the affected WordPress site.

Such script execution can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites.

Because the vulnerability requires an administrator to approve the malicious comment, the risk depends on administrative actions, but once exploited, it can compromise user security and trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart