Skip to main content

FV Flowplayer Video Player CVE-2026-49773

| EUVDEUVD-2026-36894 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-5m6c-89c7-62pm
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L reflects subscriber-level access requirement; UI:R for victim page load; S:C for cross-session XSS; A:N because XSS does not cause service availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:50 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.

AnalysisAI

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

Technical ContextAI

The affected component is the FV Flowplayer Video Player plugin for WordPress, developed by Foliovision and identified via CPE cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin fails to properly sanitize or escape user-supplied input before rendering it in HTML/JavaScript context. The 'Subscriber' qualifier in the CVE title indicates the vulnerable input surface is accessible to the lowest authenticated WordPress role (subscriber), requiring no administrator or editor privileges to plant the payload. The CVSS S:C (Scope Changed) metric reflects the classic stored XSS cross-boundary issue: code injected by one user executes in another user's browser session, potentially targeting admin cookies or performing privileged actions.

RemediationAI

The primary remediation is to update the FV Flowplayer Video Player plugin to version 7.5.51.7212 or later via the WordPress plugin dashboard or manual update from the plugin repository; this is a vendor-released patch per advisory EUVD-2026-36894. If immediate update is not feasible, restrict subscriber-level user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to deny unauthenticated visitors the ability to create accounts and reach the vulnerable input surface - note this may affect legitimate membership workflows. Additionally, a Web Application Firewall (WAF) with XSS filtering rules can serve as a compensating control to detect and block script injection attempts in plugin input fields, though WAF bypass is possible and this is not a substitute for patching. Site administrators should also audit recent subscriber accounts for any existing injected content in video player configuration fields.

CVE-2021-39350 MEDIUM POC
6.1 Oct 06

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parame

CVE-2019-14799 MEDIUM POC
6.1 Aug 09

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severi

CVE-2019-14801 CRITICAL
9.8 Aug 09

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated cri

CVE-2019-13573 CRITICAL
9.8 Jul 17

A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPres

CVE-2019-14800 MEDIUM POC
5.3 Aug 15

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription lis

CVE-2024-6338 HIGH
8.8 Jul 19

The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ paramete

CVE-2023-25066 HIGH
8.8 Feb 14

Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions

CVE-2022-25607 HIGH
7.2 Mar 18

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player W

CVE-2026-12135 MEDIUM
6.4 Jul 01

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212

CVE-2023-30499 MEDIUM
6.1 Aug 18

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2018-0642 MEDIUM
6.1 Sep 07

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitr

CVE-2023-4520 MEDIUM
5.4 Aug 25

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_use

Share

CVE-2026-49773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy