CVE-2026-7556
Description
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
Affected products
2- Range: <=7.5.49.7212
- Range: <=7.5.49.7212
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input sanitization and output escaping in comment processing allows for stored cross-site scripting."
Attack vector
An unauthenticated attacker can inject arbitrary web scripts into comment text. This payload is delivered when an administrator approves the comment and a user views the page containing the approved comment. Exploitation requires the 'Parse Vimeo and YouTube links' setting to be enabled [ref_id=1]. The vulnerability is triggered when the comment text is processed and rendered on a page.
Affected code
The vulnerability resides within the comment processing functions, specifically `fv_player_comment_text` and its related helper functions like `fv_player_comment_text_replace_video_urls_outside_html_tags` and `fv_player_comment_text_replace_video_urls_in_text` [ref_id=1]. These functions are responsible for parsing and rendering user-submitted comments, including those containing video URLs that are converted into shortcodes.
What the fix does
The patch, as indicated by the code snippet, likely involves sanitizing or escaping the comment text before it is processed by the `fv_player_comment_text` function. This would prevent injected scripts from being interpreted as executable code when the comment is displayed to users. The provided code snippet does not show the fix, but the vulnerability lies in the lack of proper escaping when handling user-submitted comments.
Preconditions
- configThe 'Parse Vimeo and YouTube links' plugin setting must be enabled.
- inputA comment containing malicious script injection must be submitted.
- authAn administrator must approve the submitted comment.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.phpnvd
- plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/frontend.phpnvd
- plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.phpnvd
- plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/frontend.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/8bcd5259-2e35-41f6-b269-5b679e4eaab9nvd
News mentions
0No linked articles in our index yet.