CVE-2026-7556 is a stored cross-site scripting vulnerability in the FV Flowplayer Video Player WordPress plugin. It arises from improper neutralization of input during web page generation (CWE-79) specifically in the comment text processing. The vulnerability is exploitable only if the 'Parse Vimeo and YouTube links' (parse_comments) setting is enabled and requires an administrator to approve the malicious comment before the payload is delivered to users. This flaw allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of users visiting the affected pages. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impact on confidentiality and integrity with scope change.

Successful exploitation can lead to arbitrary script execution in the browsers of users viewing the injected comment, potentially compromising user confidentiality and integrity of the affected site content. The vulnerability does not impact availability. Exploitation requires administrative approval of the malicious comment and enabling of a non-default plugin setting, limiting the attack surface. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling the 'Parse Vimeo and YouTube links' (parse_comments) setting to prevent exploitation. Additionally, carefully review and moderate comments before approval to avoid injecting malicious scripts. Monitor vendor channels for updates regarding patches or official mitigations.