CVE-2025-7732

Name of the Vulnerable Software and Affected Versions: Lazy Load for Videos plugin for WordPress versions through 2.18.7

Description: The Lazy Load for Videos plugin for WordPress is susceptible to Stored Cross-Site Scripting through its lazy-loading handlers. Insufficient input sanitization and output escaping allows attackers to inject arbitrary web scripts into pages. The plugin’s JavaScript registration handlers read the client-supplied data-video-title and href attributes, decode HTML entities, and pass them directly into DOM sinks without validation. Authenticated attackers with Contributor-level access or higher can exploit this issue.

Recommendations: Update Lazy Load for Videos plugin for WordPress to a version later than 2.18.7.