Vulnerabilities and security researches forbj-lazy-load bj-lazy-load

Jun 07, 2024

CVE, Research URL: CVE-2015-9415
Home page URL: Security reports for BJ Lazy Load
Application: BJ Lazy Load
Date: Sep 26, 2019
Research Description: The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
Affected versions: max 1.0.
Status: vulnerable

May 13, 2026

CVE, Research URL: CVE-2026-2300
Home page URL: Security reports for BJ Lazy Load
Application: BJ Lazy Load
Date: May 12, 2026
Research Description: The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.0.9.
Status: vulnerable