[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3SmNID9TbQawLRDE9KCXKqbZR9R8OmQj9VVBA_2ErVI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-49773","fv-flowplayer-video-player-authenticated-subscriber-stored-cross-site-scripting","FV Flowplayer Video Player \u003C 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","fv-wordpress-flowplayer",null,"\u003C7.5.51.7212","7.5.51.7212","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-04 00:00:00","2026-06-08 14:30:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd58fe116-0896-46b5-a120-d0fde9680ff1?source=api-prod",5,[],"researched",false,3,"This research plan outlines the technical steps to analyze and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the **FV Flowplayer Video Player** plugin.\n\n---\n\n### 1. Vulnerability Summary\n- **Vulnerability:** Stored Cross-Site Scripting (XSS)\n- **Plugin:** FV Flowplayer Video Player (slug: `fv-wordpress-flowplayer`)\n- **Affected Versions:** \u003C 7.5.51.7212\n- **Requirement:** Authenticated user with Subscriber-level access or higher.\n- **Root Cause:** The plugin registers AJAX handlers for saving player settings or metadata without verifying the user's capabilities (e.g., `manage_options`) and fails to sanitize input before storing it in the database. When these settings are rendered on the frontend (often via the `[fvplayer]` shortcode), they are not properly escaped, allowing for arbitrary script execution.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `fv_player_save_settings` (inferred from previous CVEs in this plugin) or a similar settings-saving action.\n- **Vulnerable Parameter:** Likely a field within a settings array, such as `fv_player_settings[ads][tracking_code]` or `fv_player_settings[custom_css]` (inferred).\n- **Authentication:** Required (Subscriber+).\n- **Mechanism:** The attacker sends a POST request to the AJAX endpoint with a malicious payload. The plugin saves this to a WordPress option or post meta. The payload is later reflected in the HTML source of any page containing the video player.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX action during `init` or `admin_init` hooks:\n   ```php\n   \u002F\u002F Inferred registration pattern\n   add_action( 'wp_ajax_fv_player_save_settings', array( 'FV_Player_Settings', 'ajax_save' ) );\n   ```\n2. **Processing:** The handler `ajax_save()` is called. It likely performs a nonce check but fails to check `current_user_can( 'manage_options' )`.\n3. **Sink (Storage):** The handler takes the `$_POST` data and uses `update_option()` or `update_post_meta()` without applying `sanitize_text_field()` or `wp_kses()`.\n4. **Sink (Output):** When a user visits a page with the `[fvplayer]` shortcode, the plugin retrieves the stored data and echoes it directly into the page (e.g., inside a `\u003Cscript>` block or as a raw HTML attribute) without using `esc_js()`, `esc_attr()`, or `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin uses `wp_localize_script` to pass configuration data and nonces to the frontend.\n\n1. **Shortcode Identification:** The plugin's primary shortcode is `[fvplayer]`.\n2. **Setup:** Create a post containing the shortcode to ensure the plugin scripts are loaded.\n   ```bash\n   wp post create --post_type=page --post_title=\"XSS Test\" --post_status=publish --post_content='[fvplayer src=\"https:\u002F\u002Fexample.com\u002Fvideo.mp4\"]'\n   ```\n3. **Navigation:** Use the browser to navigate to the newly created page.\n4. **Extraction:** Use `browser_eval` to extract the nonce. The plugin typically localizes its data under the `fv_player_php` or `fv_flowplayer_conf` object.\n   - **Target Variable:** `window.fv_player_php?.nonce` (inferred) or check the source for `fv_player_ajax`.\n   - **Command:** `browser_eval(\"window.fv_player_php.nonce\")`\n\n### 5. Exploitation Strategy\n1. **Login:** Authenticate as a Subscriber user.\n2. **Obtain Nonce:** Follow the strategy in Section 4 to get a valid nonce for the settings action.\n3. **Craft Payload:**\n   ```html\n   \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n   ```\n4. **Send Malicious Request:** Use `http_request` to save the payload.\n   - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```\n     action=fv_player_save_settings&nonce=[NONCE]&fv_player_settings[ads_code]=\u003Cscript>alert(1)\u003C\u002Fscript>\n     ```\n     *(Note: The exact parameter `fv_player_settings[ads_code]` is inferred and should be verified by checking the plugin's settings page source.)*\n\n### 6. Test Data Setup\n1. **User:** Create a subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`.\n2. **Content:** Ensure at least one page contains the `[fvplayer]` shortcode.\n3. **Plugin Config:** Ensure the plugin is active and at a version `\u003C 7.5.51.7212`.\n\n### 7. Expected Results\n- **AJAX Response:** A success indicator, such as `{\"success\":true}` or a `1`.\n- **Frontend Trigger:** When viewing the page with the `[fvplayer]` shortcode, a JavaScript alert should trigger, or the script should be visible in the page source unescaped.\n\n### 8. Verification Steps\n1. **Check Database:** Verify the payload is stored in the options table.\n   ```bash\n   wp option get fv_player_settings\n   ```\n2. **Inspect Source:** Use the `http_request` tool to fetch the frontend page and grep for the payload.\n   ```bash\n   # Look for the raw script tag in the HTML\n   grep \"\u003Cscript>alert(1)\u003C\u002Fscript>\" \n   ```\n\n### 9. Alternative Approaches\n- **Different Parameters:** If `ads_code` is not the sink, audit `FV_Player_Settings` in the source code to find all keys in the settings array that are echoed back. Look for keys like `custom_css`, `tracking`, `player_name`, or `video_model`.\n- **Post Meta Sink:** Check if the vulnerability exists in a post-specific metadata saving action (e.g., `fv_player_save_item`) instead of global settings. This would involve injecting the payload into a specific video's attributes.","The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212. Authenticated attackers with subscriber-level access can exploit this by submitting malicious scripts through AJAX settings-saving actions that lack proper capability checks and input sanitization. These scripts are then stored and executed in the context of any user who views a page where the video player is loaded.","--- a\u002Ffv-wordpress-flowplayer.php\n+++ b\u002Ffv-wordpress-flowplayer.php\n@@ -102,6 +102,10 @@\n  public function ajax_save_settings() {\n-     check_ajax_referer( 'fv_player_nonce', 'nonce' );\n+     if ( ! current_user_can( 'manage_options' ) ) {\n+         wp_die( -1 );\n+     }\n+     check_ajax_referer( 'fv_player_nonce', 'nonce' );\n      $settings = $_POST['fv_player_settings'];\n-     update_option( 'fv_player_settings', $settings );\n+     update_option( 'fv_player_settings', map_deep( $settings, 'sanitize_text_field' ) );\n      wp_die( 1 );\n  }","An attacker authenticates as a subscriber and retrieves a valid nonce from a page rendered with the plugin's shortcode. They then submit a crafted POST request to the 'fv_player_save_settings' AJAX action containing a JavaScript payload in the settings data. Since the plugin fails to verify administrative roles or sanitize this data, the payload is saved and later triggered when the plugin's settings are output on the frontend.","gemini-3-flash-preview","2026-06-26 05:05:05","2026-06-26 05:05:52",{"type":33,"vulnerable_version":34,"fixed_version":9,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":9,"fixed_zip":9,"all_tags":37},"plugin","7.5.7.727","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffv-wordpress-flowplayer\u002Ftags\u002F7.5.7.727","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffv-wordpress-flowplayer.7.5.7.727.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffv-wordpress-flowplayer\u002Ftags"]