CVE-2026-49773

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the FV Flowplayer Video Player plugin for WordPress versions prior to 7.5.51.7212. The flaw allows a user with at least Subscriber-level privileges to inject arbitrary JavaScript and HTML into the plugin's video player settings. The injected payload executes when a privileged user (e.g., administrator) interacts with the crafted content, such as clicking a malicious link or visiting a specific page. [1]

Exploitation

An attacker must have a WordPress account with Subscriber or higher role to access the video player settings where the payload is stored. The attacker then crafts a malicious script and injects it into a vulnerable field. Exploitation requires a privileged user (e.g., Administrator) to perform an action such as clicking a link, visiting a crafted page, or submitting a form, which triggers the execution of the injected script. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, deface the site, or steal sensitive information such as cookies and session tokens. The attack can affect all site visitors when the injected script runs on a page viewed by guests. [1]

Mitigation

The vulnerability is fixed in version 7.5.51.7212 and later. Users should update the plugin immediately. For those unable to update, the Patchstack platform offers a virtual mitigation rule that blocks attacks until the plugin is patched. [1]