PT-2026-44198 · A3Rev · A3 Lazy Load

Youcef Hamdani

·

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-6427

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filter videos() method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6427

Affected Products

A3 Lazy Load