Vulnerabilities and security researches fora3-lazy-load a3-lazy-load

Jun 07, 2024

CVE, Research URL: d1b0f784da3ca0f399c542515fda1423816819f0
Home page URL: Security reports for a3 Lazy Load
Application: a3 Lazy Load
Date: Nov 02, 2022
Research Description: a3 Lazy Load [a3-lazy-load] < 2.5.0 a3 Lazy Load <= 2.6.0 - Cross-Site Request Forgery to Settings Reset The following plugins for WordPress are vulnerable to Cross-Site Request Forgery: a3 Lazy Load (<= 2.6.0), Contact Us Page – Contact People (<= 3.6.1), a3 Portfolio (<= 3.0.1), Dynamic Product Gallery for WooCommerce (3.0.1), a3 Responsive Slider (<= 2.2.0), Compare Products for WooCommerce (<= 2.8.2), Products Quick View for WooCommerce (<= 2.0.1), Product Sort and Display for WooCommerce (<= 2.2.2), Product Widget Slider for WooCommerce (), WP Email Template (<= 2.6.2). This is due to missing nonce validation on the reset_settings() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.5.0.
Status: vulnerable

Apr 25, 2026

CVE, Research URL: CVE-2025-9873
Home page URL: Security reports for a3 Lazy Load
Application: a3 Lazy Load
Date: Dec 13, 2025
Research Description: The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.7.6.
Status: vulnerable