CVE-2026-6427
Stored XSS in a3 Lazy Load WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_media | lazy_load | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The a3 Lazy Load plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.7.6. This vulnerability arises from a regex bug in the _filter_videos() method that improperly handles HTML attribute quoting when processing crafted <video> elements. An authenticated attacker with Contributor-level access can insert a specially crafted <video> tag with a src attribute containing an embedded class=" substring. This tricks the plugin's class-replacement regex into consuming the attribute-value closing quote, which shifts the HTML5 parser's quote boundary. As a result, attacker-controlled text is promoted from inside a quoted attribute value into standalone event-handler attributes like autofocus or onfocus. The injected script then executes in the browser of any user, including administrators, who views the affected post.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with Contributor-level access to inject malicious scripts into posts via crafted <video> tags. When other users, including administrators, view these posts, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities performed in the context of the victim's browser session.