Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
A3rev
A3rev a3 Lazy Load Wordpress Wordpress wordpress |
|
| Vendors & Products |
A3rev
A3rev a3 Lazy Load Wordpress Wordpress wordpress |
Thu, 28 May 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 28 May 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post. | |
| Title | a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-28T10:34:51.326Z
Reserved: 2026-04-16T12:17:02.076Z
Link: CVE-2026-6427
Updated: 2026-05-28T10:34:46.229Z
Status : Deferred
Published: 2026-05-28T08:16:36.317
Modified: 2026-06-17T11:00:48.933
Link: CVE-2026-6427
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:49:35Z