CVE-2026-7556: FV Flowplayer WordPress Plugin Stored XSS Vulnerability
The FV Flowplayer Video Player plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to 7.5.49.7212. An unauthenticated attacker can inject malicious scripts into page comments that execute when users visit the affected page. However, exploitation requires two conditions: the site administrator must have enabled the 'Parse Vimeo and YouTube links' setting (which is not enabled by default), and a moderator must approve the malicious comment before it becomes visible. Once those conditions are met, the injected code runs in the browsers of everyone who views the page.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7556 is a Stored XSS vulnerability (CWE-79) arising from insufficient input sanitization and output escaping in the FV Flowplayer plugin's comment handling. When the parse_comments feature is enabled, the plugin processes comment text without adequately sanitizing or escaping user input. Attackers can craft comments containing JavaScript payloads that persist in the database and execute in visitor browsers with the privileges of the current user. The vulnerability affects all versions through 7.5.49.7212 and requires comment moderation approval before activation, creating a two-stage attack path.
Business impact
Compromised websites can serve malware, steal visitor session cookies and credentials, redirect users to phishing sites, or deface content—all while appearing to come from a trusted source. For media-heavy sites relying on video content (the Flowplayer use case), this undermines trust and may trigger search engine penalties. Organizations with high-traffic WordPress sites face reputational damage and potential regulatory liability if user data is harvested. The need for comment approval introduces friction but does reduce the attack surface compared to fully open comment systems.
Affected systems
WordPress installations using the FV Flowplayer Video Player plugin version 7.5.49.7212 or earlier are at risk, provided the 'Parse Vimeo and YouTube links' setting is enabled. This is a non-default configuration, so sites running the plugin with default settings are not vulnerable. Any WordPress site with this plugin and custom comment parsing enabled should be considered in scope for patching and testing.
Exploitability
The attack is relatively accessible: unauthenticated users can submit comments, and the barrier to exploitation is administrative approval—a process many site moderators perform routinely without close inspection of comment text. However, the requirement for both a non-default configuration and active moderation means ad-hoc attacks are less likely than coordinated campaigns targeting specific, well-known WordPress instances. The CVSS 3.1 score of 7.2 (HIGH) reflects high impact (information disclosure and integrity compromise across multiple contexts) balanced against the need for administrator-configured settings and comment approval.
Remediation
Update the FV Flowplayer plugin to the latest patched version (verify the specific version against the vendor's security advisory). As an interim measure, disable the 'Parse Vimeo and YouTube links' feature if not essential to your site's functionality. If the feature is required, implement stricter comment moderation workflows, such as requiring human review of all comments or disabling comments on sensitive content. Monitor existing comments for suspicious content and consider a Web Application Firewall (WAF) rule to block common XSS patterns in comment submissions.
Patch guidance
Check the WordPress plugin repository or the FV Flowplayer vendor website for version 7.5.49.7213 or later. Apply the update via the WordPress admin dashboard (Plugins > Installed Plugins > FV Flowplayer Video Player > Update) or manually if required. After patching, verify that the 'Parse Vimeo and YouTube links' feature continues to function correctly for legitimate use cases. Test comment submission and moderation workflows in a staging environment first to ensure no regression.
Detection guidance
Search WordPress plugin logs or audit trails for the FV Flowplayer plugin version number. Query the WordPress posts and comments tables for script tags or JavaScript event handlers (onload, onclick, onerror) in comment content. Web Application Firewalls can flag comment submissions containing script tags. Monitor for unusual comment approval activity, especially approvals by inactive or compromised admin accounts. Check browser console errors or network traffic anomalies from legitimate user sessions post-compromise. If a WAF is in place, enable logging for XSS payload attempts and review blocked requests.
Why prioritize this
This vulnerability merits prompt patching because stored XSS on WordPress sites is a common attacker objective for distributing malware and harvesting credentials at scale. Although the non-default configuration requirement and approval gate reduce the immediate threat, sites that do have the feature enabled face high impact. The vulnerability was published in June 2026 and is not on the CISA KEV list, suggesting it has not yet been exploited in the wild at scale—making this a narrow window to patch before weaponization increases.
Risk score, explained
The CVSS 3.1 score of 7.2 reflects a HIGH severity assessment: the attack requires only network access and no special privileges or user interaction (in the attacker's role), and it compromises confidentiality and integrity across browser contexts. However, the score does not fully capture the real-world friction introduced by the requirement for a non-default configuration setting and comment approval, which significantly reduces attack surface in practice. Organizations should treat this as HIGH priority for sites with the parse_comments feature enabled, but may deprioritize sites running default configurations.
Frequently asked questions
Do I need to patch if I haven't enabled the 'Parse Vimeo and YouTube links' setting?
No. The vulnerability only manifests when this non-default setting is enabled. If you have the default configuration, you are not at risk from this particular vulnerability. However, it is good practice to stay current with plugin updates for other potential issues.
Can an attacker bypass the comment approval requirement?
No. The vulnerability requires that a site administrator or moderator approve the malicious comment before it becomes public and executes in visitor browsers. An attacker cannot bypass the approval workflow; they must wait for human moderation.
What is the difference between stored and reflected XSS, and why does it matter here?
Reflected XSS tricks a user into clicking a malicious link and only affects that user; stored XSS persists in a database and affects everyone who visits the page. This vulnerability is stored XSS, making it more dangerous because it affects all visitors to the page, not just those who clicked a specific link.
Will disabling comments prevent the attack?
Yes, disabling comments entirely removes the attack surface. However, if comments are important to your site's engagement, disabling them may not be practical. A better interim approach is to disable just the 'Parse Vimeo and YouTube links' feature, apply stricter comment moderation, or update the plugin to a patched version.
This analysis is based on the CVE record and vendor information available as of the publication date. Exploit code or weaponized proof-of-concepts are not provided. Organizations should verify patch availability and version numbers against the official vendor advisory before deploying updates. SEC.co does not provide legal, compliance, or financial advice; consult your own security and legal teams regarding remediation timelines and risk tolerance. Real-world impact may vary based on site configuration, traffic, and defender maturity. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2023-54351HIGHStored XSS in WordPress Sonaar Music Plugin 4.7 – Patch & Detection Guide
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)