Wordpress security

Persistent Cross-site Scripting in Popular WordPress Plugin Flowplayer Video Player

Updated: July 2, 2019 by Oliver Sild

At the beginning of this week, we have identified persistent cross-site scripting in popular WordPress plugin Flowplayer Video Player.

According to the WordPress plugin repository, the plugin counts over 40,000 active installations. Vulnerability in this software allows an unauthenticated attacker to inject potentially malicious JavaScript code which will be executed in admin’s web browser.

Flowplayer Video Player

FV Player is a free plugin for embedding FLV or MP4 videos into your posts or pages with Flash fallback for legacy browsers. In addition to the many other features, this plugin allows you to collect email subscriptions.

Flowplayer Video Player Vulnerability Description

The issue with email subscription component is that emails are being saved in the database even if they are detected as malformed.

Flowplayer Video Player

The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.

Provided email input is then rendered on email export screen without being sanitized. This leaves admin users exposed to the danger of persistent cross-site scripting attacks.

Flowplayer Video Player

A vulnerability affects plugin FV Flowplayer Video Player version and before.

Plugin developers have been notified about the issue on May 13th, 2019. and took intermediate action and released a fixed version ( one day later on May 14th, 2019.

Flowplayer Video Player

As we can see from the statistics above, half of the users are using version 7.2 and older. This means it may be that about 20 000+ users who have the outdated FV Flowplayer Video Player plugin version are vulnerable to exploits.


Always keep your plugins updated. If possible, enable automatic updates. If you are using the mentioned plugin, you need to update it with the latest version as soon as possible.

Websites with WebARX firewall installed were protected before, and after detecting this security issue. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: