Description
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FV Flowplayer Video Player plugin for WordPress is vulnerable to stored cross‑site scripting. The flaw arises from insufficient input sanitization and output escaping on the align attribute of the video_player shortcode. An authenticated contributor or higher user can inject arbitrary JavaScript, which is saved with the post and executed whenever a visitor opens the page. This can lead to defacement, theft of session cookies, or execution of further malicious actions on behalf of the victim. The weakness represents a classic unsanitized input (CWE‑79).

Affected Systems

The vulnerability affects the FV Flowplayer Video Player plugin supplied by Foliovision, any WordPress installation running any plugin version up to and including 7.5.51.7212. Administrators should examine all sites deploying this range.

Risk and Exploitability

The CVSS base score indicates a moderate severity risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. Exploitation requires the attacker to have contributor or higher privileges and to submit or edit a post containing the malicious shortcode. Once the payload is stored, any visitor to the affected page will execute the script, giving the attacker broad impact across the site. The overall risk is moderate but should be addressed promptly.

Generated by OpenCVE AI on July 1, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FV Flowplayer to the latest released version that contains the XSS fix.
  • If an immediate upgrade is not possible, restrict the contributor role or remove the ability to edit posts containing shortcodes, and sanitize or delete existing malicious align attributes.
  • Deploy a web application firewall or security plugin such as Wordfence to detect and block XSS payloads and monitor for suspicious shortcode activity.

Generated by OpenCVE AI on July 1, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Foliovision
Foliovision fv Flowplayer Video Player
Wordpress
Wordpress wordpress
Vendors & Products Foliovision
Foliovision fv Flowplayer Video Player
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title FV Flowplayer Video Player <= 7.5.51.7212 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'video_player' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Foliovision Fv Flowplayer Video Player
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:05.245Z

Reserved: 2026-06-12T15:59:43.436Z

Link: CVE-2026-12135

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:48.824Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')