CVE-2026-6427
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
28/05/2026
Last modified:
28/05/2026
Description
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
Impact
Base Score 3.x
6.40
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/admin/views/form-data.php#L11
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L124
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L136
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L623
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L643
- https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L666
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fa3-lazy-load/tags/2.7.6&new_path=%2Fa3-lazy-load/tags/2.7.7
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5246efbb-93cc-4951-900e-d13d08840f03?source=cve