Threat Entry Updated 2026-06-17

CVE-2026-6427 - A3 Lazy Load Plugin

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text…

PLUGIN A3 Lazy Load

CVE-2026-6427

MEDIUM CVSS 6.4 2026-05-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-15

CVE-2025-9873 - A3 Lazy Load Plugin

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN A3 Lazy Load

CVE-2025-9873

MEDIUM CVSS 6.4 2025-12-13

Risk Score

Open Full Technical Breakdown