cleantalk
Vulnerabilities and Security Researches

a3 Lazy Load, CVE-2026-6427

CVE, Research URL

CVE-2026-6427

Home page URL

Security reports for a3 Lazy Load

Application

a3 Lazy Load

Published on
May 28, 2026
Research Description
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.
Affected versions
max 2.7.7.
Status
vulnerable
Previous vulnerability researches
Admin Chat Box (CVE-2026-8787) , May 29, 2026
New vulnerability
Disable Comments for Any Post Types (Remove comments) (CVE-2026-42749) , May 29, 2026
Rank Math SEO with AI SEO Tools (CVE-2025-12714) , May 29, 2026
WP Contact Form 7 DB Handler (CVE-2026-6455) , May 29, 2026
Duplicate Page and Post (CVE-2026-49046) , May 29, 2026
a3 Lazy Load (CVE-2026-6427) , May 29, 2026