CVE-2026-7556: FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
Metrics
- CVSS v3.1
- 7.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Stored Cross-Site Scripting (XSS) affects the FV Flowplayer Video Player plugin for WordPress in all versions up to and including 7.5.49.7212. The vulnerability is reachable over the network with no authentication required, and it carries a changed scope meaning malicious scripts execute in the context of other users' browsers rather than the server itself. Successful exploitation lets an attacker read session tokens, hijack authenticated sessions, or inject arbitrary content into pages viewed by other users, including administrators. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.
HarborGuard Coverage
Detection for CVE-2026-7556 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Wordfence advisory feed within minutes of publication and matched against container images in customer registries and CI/CD pipelines, covering custom-built WordPress images that bundle the FV Flowplayer Video Player plugin alongside core WordPress.
AvailableTriage is available with a CVSS v3.1 score of 7.2 (HIGH) applied to any matched image; per-environment compliance policy weighting can escalate or deprioritize the finding based on the customer's own risk thresholds, and the resulting alert is routed to the inbox or ticketing integration configured for that customer org.
AvailableBecause no upstream fix version exists for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a remediated version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as flagging any image containing this plugin version for manual review or blocking promotion to production registries.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker submits a malicious comment over the network to any publicly reachable WordPress site running the affected plugin, with no need for prior network access beyond standard HTTP connectivity.
- AuthenticationNot required
No account or credentials are needed; the payload is delivered through the unauthenticated comment submission endpoint.
- Victim interactionDetail
Two administrative actions gate delivery: an administrator must have enabled the non-default 'parse_comments' setting, and a separate administrator must approve the malicious comment before the payload executes in other users' browsers. Victim interaction is therefore present but is an indirect precondition rather than direct social engineering of the final victim.
- Attack complexityDetail
Once the prerequisite site configuration and comment approval are in place, the exploit is reliable and requires no race conditions, memory layout assumptions, or other environmental factors.
Blast Radius
- Reads browser-stored session cookies and authentication tokens belonging to any user who loads an injected page, including administrator sessions.
- Injects arbitrary JavaScript into affected pages, enabling credential harvesting via fake login forms or silent redirection to attacker-controlled sites.
- Modifies page content visible to other users, allowing defacement or distribution of malicious links within the trusted site context.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-7556 runs against all customer images containing the FV Flowplayer Video Player plugin, including custom WordPress images, with results surfaced immediately after ingestion. Because no upstream patch exists at this time, HarborGuard re-evaluates the advisory on every ingest cycle; the moment Wordfence or the plugin author publishes a remediated version, a patched-image rebuild becomes available and, for customers who opt into auto-remediation, a regression-test run executes automatically with a PR opened against affected workloads. While awaiting an upstream fix, compensating controls worth considering include disabling the 'Parse Vimeo and YouTube links' (parse_comments) plugin setting where it is not operationally required, enforcing stricter comment moderation workflows, and using network policy to limit inbound comment submissions. Customers can configure HarborGuard policy rules to block promotion of images bundling this plugin version to production registries until a fix is confirmed.
- foliovision / FV Flowplayer Video Player≤ 7.5.49.7212
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N