CVE-2026-7556 - Vulnerability Details

- FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

Description

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.

Published: 2026-06-09

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The FV Flowplayer Video Player plugin for WordPress is vulnerable to a Stored Cross‑Site Scripting flaw that allows an unauthenticated attacker to inject arbitrary scripts through comment text. This injection results in execution of malicious code in the browser whenever a user visits a page containing the infected comment, potentially compromising confidentiality, integrity, and availability of the web application. The weakness is a classic input validation and output escaping failure, identified by CWE‑79.

Affected Systems

All versions of the FV Flowplayer Video Player plugin by foliovision up to and including 7.5.49.7212 are affected. The vulnerability is present when the administrator enables the non‑default 'Parse Vimeo and YouTube links' (parse_comments) setting. An attacker must submit a comment that is subsequently approved by an administrator before the payload is rendered on publicly accessible pages.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity level. The EPSS score is not available, so the exact exploitation probability cannot be determined, but the lack of a requirement for authenticated access suggests that the vulnerability can be leveraged by anyone who can submit a comment. However, exploitation also depends on the administrator approving the comment and the special parse_comments setting being enabled. The vulnerability is not listed in the CISA KEV catalog, but the risk of sensitive data exposure or site defacement remains significant due to the stored nature of the payload.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

foliovision

FV Flowplayer Video Player

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.5.49.7212

No data.

Vendor Product Confidence Versions

Foliovision

Fv Flowplayer Video Player

100%

Version	Status	Scheme	Platform
`[0,7.5.49.7212]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the FV Flowplayer Video Player plugin to a version newer than 7.5.49.7212.
Disable the 'Parse Vimeo and YouTube links' (parse_comments) option unless it is essential; if required, apply strict sanitization to comment content.
Review existing comments for embedded scripts, remove any that contain unescaped code, and enable comment moderation to block similar future attacks.

Generated by OpenCVE AI on June 9, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.php#L657
https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.php#L685
https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.php#L657
https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.php#L685
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522496%40fv-wordpress-flowplayer%2Ftrunk&old=3478883%40fv-wordpress-flowplayer%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bcd5259-2e35-41f6-b269-5b679e4eaab9?source=cve

History

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Foliovision Foliovision fv Flowplayer Video Player Wordpress Wordpress wordpress
Vendors & Products		Foliovision Foliovision fv Flowplayer Video Player Wordpress Wordpress wordpress

Tue, 09 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
Title		FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.php#L657 https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.php#L685 https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.php#L657 https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.php#L685 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522496%40fv-wordpress-flowplayer%2Ftrunk&old=3478883%40fv-wordpress-flowplayer%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/8bcd5259-2e35-41f6-b269-5b679e4eaab9?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Foliovision Fv Flowplayer Video Player

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-09T02:28:48.192Z

Updated: 2026-06-09T15:59:19.731Z

Reserved: 2026-04-30T19:21:07.292Z

Link: CVE-2026-7556

Vulnrichment

Updated: 2026-06-09T15:59:14.414Z

NVD

Status : Deferred

Published: 2026-06-09T03:16:26.583

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-7556

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T05:30:36Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object