FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the FV Flowplayer Video Player WordPress plugin, versions 7.5.0.727 through 7.5.2.727. The flaw is located in the ~/view/stats.php file, where the player_id parameter is not properly sanitized or escaped before being output, allowing injection of arbitrary web scripts [1][2].

Exploitation

An attacker can exploit this reflected XSS by crafting a malicious URL containing a player_id parameter with embedded JavaScript. The victim must be logged into a WordPress site with the vulnerable plugin installed and click the crafted link (e.g., via phishing or social engineering). No authentication is required to trigger the vulnerability if the attacker can lure an admin or user to the link [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected WordPress site. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as login cookies [1][2].

Mitigation

The vulnerability is patched in FV Flowplayer Video Player version 7.5.50.7212, released on 4 May 2026 (as per the plugin's update page). Users are strongly advised to update to the latest version immediately. No known workaround exists for unpatched versions [1][2].