Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
AnalysisAI
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The a3 Lazy Load plugin (CPE: cpe:2.3:a:a3rev:a3_lazy_load:*:*:*:*:*:*:*:*) implements lazy loading for video elements by processing <video> tags through the _filter_videos() method in class-a3-lazy-load.php (lines ~623-666). That method applies a regex to manipulate class attributes on video elements, but the regex does not account for embedded class=" substrings appearing inside src attribute values. When such a substring is present, the regex incorrectly consumes the closing quote of the src attribute, shifting the HTML5 parser's quote boundary. This promotes attacker-controlled text - originally inside a quoted attribute value - into a standalone unquoted position where the browser interprets it as executable event-handler attributes such as autofocus and onfocus. A second flaw in admin/views/form-data.php (line 11) renders the manipulated markup without escaping, allowing the malformed HTML to reach the browser unmodified. CWE-79 (Improper Neutralization of Input During Web Page Generation) covers this root cause class: user-controlled data flows through a broken transformation pipeline and arrives in an HTML output context without sanitization.
RemediationAI
Update the a3 Lazy Load plugin to version 2.7.7 or later, which addresses both the regex flaw in _filter_videos() and the unescaped output in admin/views/form-data.php, per the WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fa3-lazy-load/tags/2.7.6&new_path=%2Fa3-lazy-load/tags/2.7.7. Note that version 2.7.7 as a formal release is inferred from the changeset reference and has not been independently confirmed as a tagged WordPress.org release at time of analysis - verify availability in the WordPress plugin dashboard before deploying. If immediate upgrade is not possible, revoke or suspend all Contributor-level accounts on the affected site, as this eliminates the attacker's required entry point; the trade-off is loss of multi-author contribution workflows. Disabling the a3 Lazy Load plugin entirely until patching is an alternative compensating control, though it removes lazy-loading functionality site-wide. Consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5246efbb-93cc-4951-900e-d13d08840f03) for the latest remediation status.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32733
GHSA-xgw3-j63x-rv92