Security Advisory - Published 2026-06-09 - WordPress plugin
FV Flowplayer CVE-2026-7556: Stored XSS Self-Check
CVE-2026-7556 affects the FV Flowplayer Video Player plugin for WordPress in
versions up to and including 7.5.49.7212. The issue is stored cross-site scripting
through comment text when the non-default Parse Vimeo and YouTube links
setting is enabled. The comment must also be approved before the script is delivered
to visitors.
Who is affected
- Plugin: FV Flowplayer Video Player, slug
fv-wordpress-flowplayer - CVE: CVE-2026-7556
- Affected versions: 7.5.49.7212 and earlier
- Fixed version: 7.5.50.7212 or newer
- Required setting:
Parse Vimeo and YouTube links/parse_commentsenabled - Required workflow: a submitted comment is approved and then displayed
10-minute self-check
Step 1: Check the plugin version
wp plugin list | grep fv-wordpress-flowplayer
wp plugin get fv-wordpress-flowplayer --field=version Update if the version is 7.5.49.7212 or older. WordPress.org lists 7.5.50.7212 as the security fix for this comment-text issue, and newer releases are available.
Step 2: Check whether comment parsing is enabled
In wp-admin, open the FV Player settings and look for Parse Vimeo and YouTube links. If it is enabled, review comments approved while the old plugin version was active.
wp db query "SELECT option_name FROM wp_options WHERE option_value LIKE '%parse_comments%' OR option_value LIKE '%Parse Vimeo%';" Option names can vary by plugin version. The SQL above is read-only and only helps locate where the setting is stored.
Step 3: Review recently approved comments
wp comment list --status=approve --fields=comment_ID,comment_post_ID,comment_date,comment_author --number=80 Do not paste suspicious comment bodies into a browser. Review them in a plain-text editor or export first. Focus on comments containing video links, unexpected HTML, encoded text, or comments approved by mistake.
Step 4: Check moderation history
- Find comments approved after 2026-05-04 if the site was still on 7.5.49.7212 or older.
- Look for comment approvals from new or unfamiliar moderator accounts.
- Check whether pages with approved comments were viewed by administrators after approval.
- Review security logs for admin profile changes, plugin installs, or new admin users after suspicious comment views.
Safe fix path
- Update FV Flowplayer. Move to 7.5.50.7212 or newer, preferably the latest stable version.
- Disable comment parsing if not needed. Keep
Parse Vimeo and YouTube linksoff unless the site depends on it. - Review approved comments. Trash suspicious comments and preserve a copy if compromise is possible.
- Rotate admin sessions. Log out all users if an administrator viewed a suspicious comment page.
- Check for follow-on changes. Review admin users, plugin installs, theme edits, and recently modified PHP files.
When to treat it as an incident
- The site used FV Flowplayer 7.5.49.7212 or older with comment parsing enabled.
- A suspicious comment was approved and displayed on a public page.
- An administrator viewed the affected page before the comment was removed.
- Admin users, plugins, theme files, redirects, or site settings changed afterward.
Ping7 repair path
Ping7 can review the plugin version, setting state, approved comments, admin events, and post-XSS WordPress changes. Start from CVE Repair and include the site URL, FV Flowplayer version, and whether comment parsing was on.