PT-2026-39944 · WordPress · Bj-Lazy-Load

Published

2026-05-12

·

Updated

2026-05-12

·

CVE-2026-2300

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions BJ Lazy Load versions prior to 1.1.0
Description The BJ Lazy Load plugin for WordPress contains a Stored Cross-Site Scripting issue within the filter images() function. The flaw arises from the use of preg replace for regex-based HTML processing, which fails to properly handle HTML attribute boundaries when replacing src attributes. This allows crafted content within a class attribute to be promoted to actual DOM attributes after processing. Consequently, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.
Recommendations Update the plugin to a version later than 1.0.9. As a temporary workaround, restrict the use of the filter images() function to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-2300

Affected Products

Bj-Lazy-Load