CVE-2026-12135
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to and including 7.5.51.7212 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages.
Risk Assessment
Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which execute whenever a user visits the compromised page, potentially leading to session theft, defacement, or further compromise of the WordPress site.
Recommendation
Immediately update the FV Flowplayer Video Player plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily disable the plugin or restrict the 'video_player' shortcode usage to trusted users only.
Original NVD description (English source)
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

