PatchSiren cyber security CVE debrief
CVE-2026-7556 foliovision CVE debrief
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.
- Vendor
- foliovision
- Product
- FV Flowplayer Video Player
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of FV Flowplayer Video Player plugin for WordPress, particularly those with versions up to and including 7.5.49.7212.
Technical summary
The vulnerability exists due to insufficient input sanitization and output escaping in the comment text of the FV Flowplayer Video Player plugin. An attacker can inject arbitrary web scripts, which will be executed when a user accesses the injected page.
Defensive priority
HIGH
Recommended defensive actions
- Update FV Flowplayer Video Player plugin to a version beyond 7.5.49.7212.
- Disable the 'Parse Vimeo and YouTube links' (parse_comments) plugin setting if not required.
- Ensure administrator approval is required for comments.
Evidence notes
The CVE-2026-7556 record and associated details were sourced from official vulnerability databases and vendor reports.
Official resources
CVE-2026-7556 was published on 2026-06-09T03:16:26.583Z and modified on 2026-06-09T13:33:34.393Z.