Skip to main content

FV Flowplayer Video Player CVE-2026-12135

| EUVDEUVD-2026-40899 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-vq2p-p7j9-wrx9
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-accessible plugin requiring PR:L contributor auth; S:C reflects XSS scope change to victim browser; A:N as server availability is unaffected.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:31 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 6.4

DescriptionCVE.org

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized align attribute of the [video_player] shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain contributor-level WordPress credentials
Delivery
Craft malicious JavaScript payload in shortcode align attribute
Exploit
Submit post containing injected [video_player] shortcode
Install
Payload persists in WordPress database
C2
Victim browses page rendering the shortcode
Execute
Script executes in victim browser
Impact
Session token exfiltrated or victim silently redirected

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at minimum the contributor role - unauthenticated or subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) is driven by AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who acquires contributor-level access to a WordPress site - through credential stuffing, phishing, or open contributor registration - creates or edits a post embedding a `[video_player align='<script>document.location=...+document.cookie</script>']` shortcode. Every visitor to any page where that post's content appears has the script silently executed in their browser, delivering session tokens to an attacker-controlled endpoint and enabling full account takeover of affected users including administrators. …
Remediation Administrators should update the FV Flowplayer Video Player plugin to the latest version available in the WordPress plugin repository immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-39350 MEDIUM POC
6.1 Oct 06

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parame

CVE-2019-14799 MEDIUM POC
6.1 Aug 09

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severi

CVE-2019-14801 CRITICAL
9.8 Aug 09

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated cri

CVE-2019-13573 CRITICAL
9.8 Jul 17

A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPres

CVE-2019-14800 MEDIUM POC
5.3 Aug 15

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription lis

CVE-2024-6338 HIGH
8.8 Jul 19

The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ paramete

CVE-2023-25066 HIGH
8.8 Feb 14

Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions

CVE-2022-25607 HIGH
7.2 Mar 18

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player W

CVE-2026-49773 MEDIUM
6.5 Jun 15

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-p

CVE-2023-30499 MEDIUM
6.1 Aug 18

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2018-0642 MEDIUM
6.1 Sep 07

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitr

CVE-2023-4520 MEDIUM
5.4 Aug 25

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_use

Share

CVE-2026-12135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy