Description
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BJ Lazy Load WordPress plugin contains a stored cross‑site scripting flaw in its image filtering routine. A crafted value inside a class attribute can be parsed, causing the content to become a real DOM attribute after the PHP regex replacement. An attacker with at least Contributor level can insert arbitrary JavaScript that will run when any user views the affected page. This allows client‑side code execution, potentially enabling cookie theft, session hijack, defacement or phishing attacks.

Affected Systems

WordPress sites that use the BJ Lazy Load plugin, versions 1.0.9 and earlier are affected. The flaw resides in the plugin’s filter_images() function and applies to all installations of the vendor product ‘BJ Lazy Load’ that have not been patched beyond 1.0.9.

Risk and Exploitability

The CVSS score is 6.4, indicating a medium severity vulnerability. EPSS data is not available and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor-level privileges, making the attack vector local to the CMS user. Because the exploit injects persistent scripts into page content, any visitor to the compromised page can be exposed to the injected code. The medium CVSS score combined with the authenticated attack vector suggests that the risk is present but lower than remote code execution; however, the availability of many Contributor accounts in typical WordPress installations means the vulnerability is still actionable.

Generated by OpenCVE AI on May 12, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BJ Lazy Load plugin to version 1.0.10 or later to remove the regex‑based flaw
  • If an upgrade is not immediately possible, permanently remove or disable the plugin to eliminate the vulnerable code
  • Sanitize all image ‘class’ attribute values by stripping or escaping characters that could form injected DOM attributes, thereby mitigating the CWE‑79 weakness
  • Restrict Contributor‑level accounts and enforce least‑privilege policies to reduce the attack surface

Generated by OpenCVE AI on May 12, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T07:48:29.322Z

Reserved: 2026-02-10T18:03:19.039Z

Link: CVE-2026-2300

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:39.623

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-2300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:00:07Z

Weaknesses