cleantalk
Vulnerabilities and Security Researches

BJ Lazy Load, CVE-2026-2300

CVE, Research URL

CVE-2026-2300

Home page URL

Security reports for BJ Lazy Load

Application

BJ Lazy Load

Published on
May 12, 2026
Research Description
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.9.
Status
vulnerable
Previous vulnerability researches
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2021-47941) , May 13, 2026
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2015-2090) , Jun 06, 2024
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2024-12528) , Jan 08, 2025
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2024-13596) , Feb 01, 2025
New vulnerability
WP Google Maps Integration (CVE-2026-7464) , May 13, 2026
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2026-5371) , May 13, 2026
bunny.net – WordPress CDN Plugin (CVE-2025-68049) , May 13, 2026
BJ Lazy Load (CVE-2026-2300) , May 13, 2026
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2021-47941) , May 13, 2026