Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
PR:L reflects subscriber-level access requirement; UI:R for victim page load; S:C for cross-session XSS; A:N because XSS does not cause service availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
AnalysisAI
Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.
Technical ContextAI
The affected component is the FV Flowplayer Video Player plugin for WordPress, developed by Foliovision and identified via CPE cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin fails to properly sanitize or escape user-supplied input before rendering it in HTML/JavaScript context. The 'Subscriber' qualifier in the CVE title indicates the vulnerable input surface is accessible to the lowest authenticated WordPress role (subscriber), requiring no administrator or editor privileges to plant the payload. The CVSS S:C (Scope Changed) metric reflects the classic stored XSS cross-boundary issue: code injected by one user executes in another user's browser session, potentially targeting admin cookies or performing privileged actions.
RemediationAI
The primary remediation is to update the FV Flowplayer Video Player plugin to version 7.5.51.7212 or later via the WordPress plugin dashboard or manual update from the plugin repository; this is a vendor-released patch per advisory EUVD-2026-36894. If immediate update is not feasible, restrict subscriber-level user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to deny unauthenticated visitors the ability to create accounts and reach the vulnerable input surface - note this may affect legitimate membership workflows. Additionally, a Web Application Firewall (WAF) with XSS filtering rules can serve as a compensating control to detect and block script injection attempts in plugin input fields, though WAF bypass is possible and this is not a substitute for patching. Site administrators should also audit recent subscriber accounts for any existing injected content in video player configuration fields.
More in Fv Flowplayer Video Player
View allThe FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parame
The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severi
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated cri
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPres
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription lis
The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ paramete
Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions
Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player W
Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitr
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_use
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36894
GHSA-5m6c-89c7-62pm