WordPress FV Flowplayer Video Player Plugin <= 7.5.32.7212 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The FV Flowplayer Video Player WordPress plugin (fv-wordpress-flowplayer) suffers from a reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 7.5.32.7212. The plugin fails to properly sanitize and escape user-supplied input, allowing an attacker to inject malicious scripts that are reflected back to the user's browser. [1]

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a specially crafted URL containing the XSS payload and tricking a victim into clicking it. The attacker does not require any privileged access or user interaction beyond the victim clicking the link. The malicious script executes in the context of the victim's session, with the same origin as the vulnerable WordPress site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the website, redirection to malicious sites, or theft of sensitive information such as login credentials. The impact is limited to the user's browser and the security context of the WordPress site.

Mitigation

The vulnerability is fixed in version 7.5.50.7212, released on 2026-05-04. Users are strongly advised to update to the latest version. No other workarounds are available in the referenced material. [1]