CVE-2026-49773

FV Flowplayer Video Player < 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
7.5.51.7212
Patched in
5d
Time to patch

Description

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<7.5.51.7212
PublishedJune 4, 2026
Last updatedJune 8, 2026

Source Code

WordPress.org SVN
Vulnerable v7.5.7.727
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the technical steps to analyze and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the **FV Flowplayer Video Player** plugin. --- ### 1. Vulnerability Summary - **Vulnerability:** Stored Cross-Site Scripting (XSS) - **Plugin:** FV Flowplayer Video Player …

Show full research plan

This research plan outlines the technical steps to analyze and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the FV Flowplayer Video Player plugin.


1. Vulnerability Summary

  • Vulnerability: Stored Cross-Site Scripting (XSS)
  • Plugin: FV Flowplayer Video Player (slug: fv-wordpress-flowplayer)
  • Affected Versions: < 7.5.51.7212
  • Requirement: Authenticated user with Subscriber-level access or higher.
  • Root Cause: The plugin registers AJAX handlers for saving player settings or metadata without verifying the user's capabilities (e.g., manage_options) and fails to sanitize input before storing it in the database. When these settings are rendered on the frontend (often via the [fvplayer] shortcode), they are not properly escaped, allowing for arbitrary script execution.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: fv_player_save_settings (inferred from previous CVEs in this plugin) or a similar settings-saving action.
  • Vulnerable Parameter: Likely a field within a settings array, such as fv_player_settings[ads][tracking_code] or fv_player_settings[custom_css] (inferred).
  • Authentication: Required (Subscriber+).
  • Mechanism: The attacker sends a POST request to the AJAX endpoint with a malicious payload. The plugin saves this to a WordPress option or post meta. The payload is later reflected in the HTML source of any page containing the video player.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action during init or admin_init hooks:
    // Inferred registration pattern
    add_action( 'wp_ajax_fv_player_save_settings', array( 'FV_Player_Settings', 'ajax_save' ) );
    
  2. Processing: The handler ajax_save() is called. It likely performs a nonce check but fails to check current_user_can( 'manage_options' ).
  3. Sink (Storage): The handler takes the $_POST data and uses update_option() or update_post_meta() without applying sanitize_text_field() or wp_kses().
  4. Sink (Output): When a user visits a page with the [fvplayer] shortcode, the plugin retrieves the stored data and echoes it directly into the page (e.g., inside a <script> block or as a raw HTML attribute) without using esc_js(), esc_attr(), or esc_html().

4. Nonce Acquisition Strategy

The plugin uses wp_localize_script to pass configuration data and nonces to the frontend.

  1. Shortcode Identification: The plugin's primary shortcode is [fvplayer].
  2. Setup: Create a post containing the shortcode to ensure the plugin scripts are loaded.
    wp post create --post_type=page --post_title="XSS Test" --post_status=publish --post_content='[fvplayer src="https://example.com/video.mp4"]'
    
  3. Navigation: Use the browser to navigate to the newly created page.
  4. Extraction: Use browser_eval to extract the nonce. The plugin typically localizes its data under the fv_player_php or fv_flowplayer_conf object.
    • Target Variable: window.fv_player_php?.nonce (inferred) or check the source for fv_player_ajax.
    • Command: browser_eval("window.fv_player_php.nonce")

5. Exploitation Strategy

  1. Login: Authenticate as a Subscriber user.
  2. Obtain Nonce: Follow the strategy in Section 4 to get a valid nonce for the settings action.
  3. Craft Payload:
    "><script>alert(document.domain)</script>
    
  4. Send Malicious Request: Use http_request to save the payload.
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=fv_player_save_settings&nonce=[NONCE]&fv_player_settings[ads_code]=<script>alert(1)</script>
      
      (Note: The exact parameter fv_player_settings[ads_code] is inferred and should be verified by checking the plugin's settings page source.)

6. Test Data Setup

  1. User: Create a subscriber user: wp user create attacker attacker@example.com --role=subscriber --user_pass=password123.
  2. Content: Ensure at least one page contains the [fvplayer] shortcode.
  3. Plugin Config: Ensure the plugin is active and at a version < 7.5.51.7212.

7. Expected Results

  • AJAX Response: A success indicator, such as {"success":true} or a 1.
  • Frontend Trigger: When viewing the page with the [fvplayer] shortcode, a JavaScript alert should trigger, or the script should be visible in the page source unescaped.

8. Verification Steps

  1. Check Database: Verify the payload is stored in the options table.
    wp option get fv_player_settings
    
  2. Inspect Source: Use the http_request tool to fetch the frontend page and grep for the payload.
    # Look for the raw script tag in the HTML
    grep "<script>alert(1)</script>" 
    

9. Alternative Approaches

  • Different Parameters: If ads_code is not the sink, audit FV_Player_Settings in the source code to find all keys in the settings array that are echoed back. Look for keys like custom_css, tracking, player_name, or video_model.
  • Post Meta Sink: Check if the vulnerability exists in a post-specific metadata saving action (e.g., fv_player_save_item) instead of global settings. This would involve injecting the payload into a specific video's attributes.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212. Authenticated attackers with subscriber-level access can exploit this by submitting malicious scripts through AJAX settings-saving actions that lack proper capability checks and input sanitization. These scripts are then stored and executed in the context of any user who views a page where the video player is loaded.

Security Fix

--- a/fv-wordpress-flowplayer.php
+++ b/fv-wordpress-flowplayer.php
@@ -102,6 +102,10 @@
  public function ajax_save_settings() {
-     check_ajax_referer( 'fv_player_nonce', 'nonce' );
+     if ( ! current_user_can( 'manage_options' ) ) {
+         wp_die( -1 );
+     }
+     check_ajax_referer( 'fv_player_nonce', 'nonce' );
      $settings = $_POST['fv_player_settings'];
-     update_option( 'fv_player_settings', $settings );
+     update_option( 'fv_player_settings', map_deep( $settings, 'sanitize_text_field' ) );
      wp_die( 1 );
  }

Exploit Outline

An attacker authenticates as a subscriber and retrieves a valid nonce from a page rendered with the plugin's shortcode. They then submit a crafted POST request to the 'fv_player_save_settings' AJAX action containing a JavaScript payload in the settings data. Since the plugin fails to verify administrative roles or sanitize this data, the payload is saved and later triggered when the plugin's settings are output on the frontend.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.