Skip to main content

Fv Flowplayer Video Player

14 CVEs product

Monthly

CVE-2026-12135 MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-49773 MEDIUM PATCH This Month

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

XSS Fv Flowplayer Video Player
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-6338 HIGH PATCH This Week

The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ parameter in all versions up to, and including, 7.5.46.7212 due to insufficient. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-4520 MEDIUM PATCH This Month

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the 'save' function hooked via init, and the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-30499 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fv Flowplayer Video Player
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-25066 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Fv Flowplayer Video Player
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-25613 MEDIUM This Month

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in FV Flowplayer Video Player (WordPress plugin) versions <= 7.5.18.727 via &fv_wp_flowplayer_field_splash parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-25607 HIGH This Week

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
7.2
EPSS
0.8%
CVE-2021-39350 MEDIUM POC PATCH This Month

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS PHP Fv Flowplayer Video Player
NVD
CVSS 3.1
6.1
EPSS
2.1%
CVE-2019-14800 MEDIUM POC This Month

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Information Disclosure Fv Flowplayer Video Player
NVD
CVSS 3.0
5.3
EPSS
1.5%
CVE-2019-14801 CRITICAL Act Now

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Fv Flowplayer Video Player
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2019-14799 MEDIUM POC This Month

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
6.1
EPSS
2.0%
CVE-2019-13573 CRITICAL PATCH Act Now

A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi WordPress Fv Flowplayer Video Player
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2018-0642 MEDIUM This Month

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fv Flowplayer Video Player
NVD
CVSS 3.0
6.1
EPSS
1.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

XSS Fv Flowplayer Video Player
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ parameter in all versions up to, and including, 7.5.46.7212 due to insufficient. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Fv Flowplayer Video Player
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the 'save' function hooked via init, and the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Fv Flowplayer Video Player
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fv Flowplayer Video Player
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Fv Flowplayer Video Player
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in FV Flowplayer Video Player (WordPress plugin) versions <= 7.5.18.727 via &fv_wp_flowplayer_field_splash parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Fv Flowplayer Video Player
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Fv Flowplayer Video Player
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS PHP +1
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Information Disclosure +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Fv Flowplayer Video Player
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Fv Flowplayer Video Player
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi WordPress Fv Flowplayer Video Player
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fv Flowplayer Video Player
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy