CVE-2026-6427
Received Received - Intake
Stored XSS in a3 Lazy Load WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-6427
EUVD
EUVD-2026-32733
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_media lazy_load to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves a crafted <video> tag with a src attribute containing an embedded class=" substring that exploits a regex bug in the a3 Lazy Load plugin for WordPress. Detection would involve inspecting posts or content for suspicious <video> tags with unusual attribute patterns that break HTML quoting.

Since the vulnerability requires authenticated Contributor-level access to insert the malicious content, detection can include scanning the WordPress database or post content for <video> tags with suspicious src attributes containing class=" substrings or other irregularities.

No specific commands or automated detection tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the a3 Lazy Load plugin to a version later than 2.7.6 where this vulnerability is fixed.

If an update is not immediately possible, restrict Contributor-level user permissions to prevent insertion of crafted <video> tags.

Additionally, review and sanitize any existing post content for malicious <video> tags that exploit this vulnerability.

Executive Summary

The a3 Lazy Load plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.7.6. This vulnerability arises from a regex bug in the _filter_videos() method that improperly handles HTML attribute quoting when processing crafted <video> elements. An authenticated attacker with Contributor-level access can insert a specially crafted <video> tag with a src attribute containing an embedded class=" substring. This tricks the plugin's class-replacement regex into consuming the attribute-value closing quote, which shifts the HTML5 parser's quote boundary. As a result, attacker-controlled text is promoted from inside a quoted attribute value into standalone event-handler attributes like autofocus or onfocus. The injected script then executes in the browser of any user, including administrators, who views the affected post.

Impact Analysis

This vulnerability allows an authenticated attacker with Contributor-level access to inject malicious scripts into posts via crafted <video> tags. When other users, including administrators, view these posts, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities performed in the context of the victim's browser session.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart