PT-2026-39944 · WordPress · Bj-Lazy-Load
Published
2026-05-12
·
Updated
2026-05-12
·
CVE-2026-2300
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
BJ Lazy Load versions prior to 1.1.0
Description
The BJ Lazy Load plugin for WordPress contains a Stored Cross-Site Scripting issue within the
filter images() function. The flaw arises from the use of preg replace for regex-based HTML processing, which fails to properly handle HTML attribute boundaries when replacing src attributes. This allows crafted content within a class attribute to be promoted to actual DOM attributes after processing. Consequently, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.Recommendations
Update the plugin to a version later than 1.0.9.
As a temporary workaround, restrict the use of the
filter images() function to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bj-Lazy-Load