Description
The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin’s JavaScript registration handlers read the client‑supplied 'data-video-title' and 'href' attributes, decode HTML entities by default, and pass them directly into DOM sinks without any escaping or validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Lazy Load for Videos plugin is vulnerable to a stored XSS flaw that allows an authenticated contributor or higher to inject malicious script code via the 'data-video-title' and 'href' attributes. Once supplied by the attacker, the plugin decodes HTML entities and writes the raw strings into the page without escaping, causing the script to run for every user who views the affected page. This flaw enables the attacker to manipulate the browser context of other users, potentially leading to session hijacking, defacement, or credential theft.

Affected Systems

All WordPress sites running the Lazy Load for Videos plugin by Kevin Weber, in all released versions up to and including 2.18.7. Any installation where contributors have write access to embed videos is susceptible.

Risk and Exploitability

The CVSS score of 6.4 indicates medium severity based on integrity impacts, while the EPSS score is under 1%, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, implying no confirmed widespread attacks. Nevertheless, because only Contributor‑level access is required, many users in a typical WordPress environment can exploit the flaw. An attacker may inject the malicious code by adding or editing a post, page, or media item that includes the vulnerable attributes; the embedded script will then execute for all visitors who load the page.

Generated by OpenCVE AI on April 21, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lazy Load for Videos to the latest available version that removes the vulnerable code.
  • If no update is available, temporarily disable or uninstall the plugin to block the exploitation path.
  • Review and limit Contributor or higher roles, ensuring only trusted users can add or edit content that passes through the plugin.

Generated by OpenCVE AI on April 21, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28782 The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin’s JavaScript registration handlers read the client‑supplied 'data-video-title' and 'href' attributes, decode HTML entities by default, and pass them directly into DOM sinks without any escaping or validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 27 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Kevinweber
Kevinweber lazy Load For Videos
Wordpress
Wordpress wordpress
Vendors & Products Kevinweber
Kevinweber lazy Load For Videos
Wordpress
Wordpress wordpress

Wed, 27 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin’s JavaScript registration handlers read the client‑supplied 'data-video-title' and 'href' attributes, decode HTML entities by default, and pass them directly into DOM sinks without any escaping or validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Lazy Load for Videos <= 2.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kevinweber Lazy Load For Videos
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:33.178Z

Reserved: 2025-07-16T22:56:22.532Z

Link: CVE-2025-7732

cve-icon Vulnrichment

Updated: 2025-08-27T14:09:10.616Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T03:15:38.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses