Description
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
Published: 2026-05-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The a3 Lazy Load plugin contains a regex bug in the _filter_videos() method that disrupts proper quoting of HTML attributes when it processes <video> elements. This bug is combined with unescaped output in the admin/template file, allowing a user with Contributor or higher privileges to insert a crafted <video> tag whose src attribute embeds a class=" substring. The plugin’s regex then consumes part of that attribute and causes the browser’s attribute parser to interpret attacker‑controlled text as the value of an event‑handler attribute (for example onfocus). When a post containing this payload is viewed in a browser, the injected script runs in the victim’s browser context. The effect is a classic stored cross‑site scripting flaw that can execute arbitrary JavaScript while a user is viewing the content. Because the code runs inside the victim’s browser, it may compromise the user’s session or expose information, but the CVE description does not specify what the injected script actually does. This flaw requires authentication at Contributor level; the attacker must create or edit a post that contains the malicious <video> element.

Affected Systems

All installations of a3 Lazy Load version 2.7.6 or earlier on WordPress sites are vulnerable. Attacks can be carried out by any user who has Contributor or higher privileges on the affected WordPress installation. Version 2.7.7 and later contain the fix and are not vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating a moderate‑to‑high impact. It is not listed in CISA’s KEV catalog and EPSS data is not available. Because the exploit only requires a Contributor or higher role, which many sites grant to multiple users, a broad range of legitimate users can abuse it. The flaw does not provide server‑side code execution or privilege escalation; the impact is limited to the browser of any user who views the post, including administrators. The likelihood of exploitation is non‑negligible given the relative ease of crafting the payload and the low barriers to creating a post.

Generated by OpenCVE AI on May 28, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the a3 Lazy Load plugin to version 2.7.7 or newer where the regex bug is fixed.
  • If a newer version cannot be installed, permanently deactivate or uninstall the plugin until the patch is available.
  • Restrict Contributor and higher roles to trusted users or revoke the capability that allows editing or inserting video elements.
  • Implement server‑side validation or sanitization that removes/neutralizes event‑handler attributes from <video> tags before rendering them in the post content.

Generated by OpenCVE AI on May 28, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
Title a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:34:51.326Z

Reserved: 2026-04-16T12:17:02.076Z

Link: CVE-2026-6427

cve-icon Vulnrichment

Updated: 2026-05-28T10:34:46.229Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:36.317

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-6427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:00:11Z

Weaknesses