WBase de Datos de Vulnerabilidades de WordPress

Alerta de Seguridad de Hong Kong Flowplayer XSS(CVE20267556)

Cross Site Scripting (XSS) en el Plugin de Reproductor de Video FV Flowplayer de WordPress
0
Compartidos
0
0
0
0






Urgent: CVE-2026-7556 — Unauthenticated Stored XSS in FV Flowplayer Video Player Plugin (<= 7.5.49.7212)


Nombre del plugin FV Flowplayer Video Player
Tipo de vulnerabilidad Scripting entre sitios (XSS)
Número CVE CVE-2026-7556
Urgencia Medio
Fecha de publicación de CVE 2026-06-09
URL de origen CVE-2026-7556

Urgent: CVE-2026-7556 — Unauthenticated Stored XSS in FV Flowplayer Video Player Plugin (<= 7.5.49.7212) — What WordPress Site Owners Must Do Now

Author: Hong Kong Security Expert  |  Date: 2026-06-09

Note: This advisory explains a recently reported stored Cross‑Site Scripting (XSS) vulnerability affecting the FV Flowplayer Video Player WordPress plugin (CVE‑2026‑7556). It covers the issue, attack scenarios, detection, immediate mitigations, developer fixes, and risk reduction strategies while you remediate.

Resumen ejecutivo

A stored Cross‑Site Scripting (XSS) vulnerability (CVE‑2026‑7556) affects FV Flowplayer Video Player for WordPress. Versions up to and including 7.5.49.7212 are vulnerable. A patch was released in 7.5.50.7212.

This is an unauthenticated, stored XSS: attackers can submit payloads that are persisted by the plugin and later rendered in admin interfaces or front‑end pages, enabling script execution in the context of administrators or visitors. The reported severity is approximately CVSS‑style 7.1 (medium/high).

Acción requerida: If your site uses FV Flowplayer, update to the patched version immediately. If you cannot update right away, apply temporary mitigations described below until you can patch and verify the site.

Qué es un XSS almacenado y por qué este es importante

Stored (persistent) XSS occurs when untrusted input is stored by an application and later rendered to other users without proper escaping. Unlike reflected XSS, stored XSS can affect many users or high‑privilege administrators simply by them viewing an infected page.

This vulnerability is unauthenticated — no account needed to submit payloads. An attacker may store malicious JavaScript via plugin inputs, which executes when an admin or visitor views the content. Possible impacts:

  • Arbitrary JavaScript execution in visitors’ browsers.
  • Session theft and admin account takeover.
  • Content manipulation, redirects to phishing pages, or client‑side payload delivery (malvertising, miners).
  • Lateral movement in the admin area if administrators interact with infected pages.

Because FV Flowplayer is used both on the front end and in admin contexts, stored payloads could execute in administrative screens — a particularly dangerous scenario.

Versiones e identificadores afectados

  • Software: FV Flowplayer Video Player (WordPress plugin)
  • Affected versions: ≤ 7.5.49.7212
  • Patched version: 7.5.50.7212
  • Clasificación: Cross‑Site Scripting (XSS) almacenado
  • CVE: CVE‑2026‑7556
  • Reported severity: CVSS‑style 7.1 (medium/high)
  • Privilegios requeridos: Ninguno (No autenticado)
  • Exploitation: No authentication required to store payload; execution requires a user to view the stored content

Escenarios de ataque realistas

Typical attacker use-cases include:

  1. Admin‑targeted compromise
    Malicious JavaScript stored in plugin settings or media fields executes when an admin views the plugin settings page, enabling session theft, creation of admin users, or file modifications.
  2. Broad public exploitation
    Payload rendered on public pages (e.g., video gallery) redirects visitors to phishing sites, injects malicious ads, or runs browser miners.
  3. Targeted phishing
    Attacker stores a payload tailored to a specific admin and lures them to view a page, increasing the chance of account takeover.
  4. Ataques encadenados
    Stored XSS can be combined with other weaknesses to persist server‑side backdoors or escalate privileges.

Automated bots can mass‑scan and inject payloads, so unattended vulnerable sites may be compromised rapidly.

How attackers find and exploit the vulnerability (high level)

  • Identify WordPress sites running the vulnerable plugin (public assets or plugin HTML).
  • Probe plugin endpoints and public inputs that accept data (forms, uploads).
  • Submit payloads and confirm persistence.
  • Craft payloads to execute in the context where data is rendered (admin or public pages).
  • Wait for admin or visitors to view the infected content; execute the attack.

We will not publish exploit payloads here. Focus on detection, mitigation, and remediation instead.

How to detect if your site has been affected

Comprobaciones inmediatas:

  1. Versión del plugin
    Check the plugin page in wp-admin. If version ≤ 7.5.49.7212, treat the site as vulnerable until patched.
  2. Recent changes and unknown content
    Review posts, pages, plugin settings, and media descriptions for unexpected HTML or