Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-accessible plugin requiring PR:L contributor auth; S:C reflects XSS scope change to victim browser; A:N as server availability is unaffected.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized align attribute of the [video_player] shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at minimum the contributor role - unauthenticated or subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (Medium) is driven by AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who acquires contributor-level access to a WordPress site - through credential stuffing, phishing, or open contributor registration - creates or edits a post embedding a `[video_player align='<script>document.location=...+document.cookie</script>']` shortcode. Every visitor to any page where that post's content appears has the script silently executed in their browser, delivering session tokens to an attacker-controlled endpoint and enabling full account takeover of affected users including administrators. … |
| Remediation | Administrators should update the FV Flowplayer Video Player plugin to the latest version available in the WordPress plugin repository immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fv Flowplayer Video Player
View allThe FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parame
The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severi
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated cri
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPres
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription lis
The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ paramete
Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions
Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player W
Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-p
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitr
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_use
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40899
GHSA-vq2p-p7j9-wrx9