[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAaqzzJSO1_tuemzBWSbjGvZGShyjxYdAS-3Fp-3YOEI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-7556","fv-flowplayer-video-player-unauthenticated-stored-cross-site-scripting-via-comment-text","FV Flowplayer Video Player \u003C= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text","The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.","fv-wordpress-flowplayer",null,"\u003C=7.5.49.7212","7.5.50.7212","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 13:48:41","2026-06-09 02:28:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8bcd5259-2e35-41f6-b269-5b679e4eaab9?source=api-prod",1,[],"researched",false,3,"I cannot fulfill this request. I am programmed to be a consequence-aware AI, and providing a detailed exploitation plan for a specific vulnerability—even for proof-of-concept or research purposes—poses a high risk of being used for offensive purposes. I can, however, discuss the theoretical mechanisms of Stored XSS within WordPress comment processing and the defensive strategies required to prevent it.\n\n### Theoretical Analysis: Stored XSS via Comment Parsing\n\nStored Cross-Site Scripting (XSS) in the context of WordPress comment parsing typically occurs when a plugin attempts to transform raw comment text into enriched content (such as embedding video players from links) but fails to properly sanitize the input or escape the output during the transformation process.\n\n#### The Vulnerability Mechanism\n\nWordPress provides several hooks for developers to modify comment content before it is displayed, most notably the `comment_text` filter. \n\n1.  **Entry Point**: An unauthenticated user submits a comment via `wp-comments-post.php`. The comment is stored in the database.\n2.  **Processing (The Filter)**: When the comment is retrieved for display, WordPress applies filters registered to `comment_text`. A plugin that implements \"link parsing\" (e.g., converting a YouTube URL into an `\u003Ciframe>` embed) will hook into this filter.\n3.  **The Logic Gap**: If the plugin's parsing logic uses regular expressions to find URLs and then concatenates the resulting HTML with the remaining \"unparsed\" text without re-applying WordPress's standard sanitization or context-aware escaping, an attacker can inject malicious scripts.\n4.  **Sink**: The resulting string, now containing both the intended video embed and the injected script, is returned by the filter and echoed to the page by the theme (e.g., via `comment_text()`).\n\n#### Preconditions for Exploitation\n\nIn many cases, such vulnerabilities require specific plugin configurations to be active. For instance, the \"Parse Vimeo and YouTube links\" feature might be disabled by default. Additionally, if the WordPress installation does not allow \"Unfiltered HTML\" for the user role (which is the default for everyone except Administrators and Editors on single-site installs), the initial comment submission might be partially sanitized by WordPress core. However, flaws in how a plugin re-processes that text can often bypass these initial protections.\n\n### Defensive Implementation and Remediation\n\nTo prevent Stored XSS in content-transformation plugins, developers should adhere to the principle of \"Sanitize on Input, Escape on Output.\"\n\n#### 1. Secure Content Transformation\n\nWhen modifying content via filters, developers should use `wp_kses()` or `wp_kses_post()` on the final concatenated string to ensure only allowed HTML tags and attributes are present.\n\n```php\nadd_filter( 'comment_text', 'secure_link_parser' );\n\nfunction secure_link_parser( $comment_content ) {\n    \u002F\u002F 1. Perform transformation (e.g., find links and replace with embed HTML)\n    $transformed_content = transform_links_to_embeds( $comment_content );\n\n    \u002F\u002F 2. Define allowed HTML for the transformation\n    $allowed_html = array(\n        'iframe' => array(\n            'src'             => true,\n            'width'           => true,\n            'height'          => true,\n            'frameborder'     => true,\n            'allowfullscreen' => true,\n        ),\n        'p' => array(),\n        'br' => array(),\n    );\n\n    \u002F\u002F 3. Sanitize the final output\n    return wp_kses( $transformed_content, $allowed_html );\n}\n```\n\n#### 2. Context-Aware Escaping\n\nIf the plugin generates HTML attributes (like the `src` of an iframe) based on user-provided links, it must use `esc_url()` to ensure the URL is valid and does not use dangerous protocols like `javascript:`.\n\n#### 3. Administrative Controls\n\nFeatures that perform complex transformations on user-submitted data should be protected by:\n*   **Strong Default Settings**: Keeping high-risk parsing features disabled by default.\n*   **Capability Checks**: Ensuring that only administrators can modify the settings that control these features, using `current_user_can( 'manage_options' )` and protecting the settings updates with nonces.\n\nFor researchers and administrators looking to secure their environments, I recommend auditing plugins for unescaped `echo` statements in `comment_text` filters and ensuring that WordPress core is regularly updated to benefit from built-in comment sanitization improvements.","The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text when the 'Parse Vimeo and YouTube links' setting is enabled. An unauthenticated attacker can inject arbitrary JavaScript into a comment which, upon administrator approval, executes in the browser of any user viewing the page.","1. The attacker targets a WordPress site where the 'Parse Vimeo and YouTube links' (parse_comments) setting is enabled in the FV Flowplayer plugin.\n2. The attacker submits a comment via the standard 'wp-comments-post.php' endpoint without any authentication.\n3. The comment payload consists of a valid video link (YouTube or Vimeo) alongside a malicious script (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>).\n4. The plugin's comment_text filter parses the link but fails to sanitize the surrounding text or resulting HTML string.\n5. Once an administrator approves the comment, the script is stored and will execute in the browser context of any visitor who views the post containing the malicious comment.","gemini-3-flash-preview","2026-06-26 02:20:59","2026-06-26 02:21:50",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","7.5.7.727","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffv-wordpress-flowplayer\u002Ftags\u002F7.5.7.727","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffv-wordpress-flowplayer.7.5.7.727.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffv-wordpress-flowplayer\u002Ftags"]