Impact
The FV Flowplayer Video Player plugin for WordPress is vulnerable to stored cross‑site scripting. The flaw arises from insufficient input sanitization and output escaping on the align attribute of the video_player shortcode. An authenticated contributor or higher user can inject arbitrary JavaScript, which is saved with the post and executed whenever a visitor opens the page. This can lead to defacement, theft of session cookies, or execution of further malicious actions on behalf of the victim. The weakness represents a classic unsanitized input (CWE‑79).
Affected Systems
The vulnerability affects the FV Flowplayer Video Player plugin supplied by Foliovision, any WordPress installation running any plugin version up to and including 7.5.51.7212. Administrators should examine all sites deploying this range.
Risk and Exploitability
The CVSS base score indicates a moderate severity risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. Exploitation requires the attacker to have contributor or higher privileges and to submit or edit a post containing the malicious shortcode. Once the payload is stored, any visitor to the affected page will execute the script, giving the attacker broad impact across the site. The overall risk is moderate but should be addressed promptly.
OpenCVE Enrichment