CVE-2025-11927

The Flying Images: Optimize and Lazy Load Images for Faster Page Speed plugin for WordPress (versions up to and including 2.4.14) is vulnerable to Stored Cross-Site Scripting (XSS) through its admin settings panel [1]. The root cause is insufficient input sanitization and output escaping on plugin configuration fields, as seen in the settings file settings/lazyload.php [1]. This allows an attacker with administrator-level access to inject arbitrary web scripts that become stored and executed in the context of other users who later access affected admin pages.

Exploitation requires administrator-level permissions and is further constrained to multi-site installations or single-site setups where the unfiltered_html capability has been disabled [1]. This reduces the attack surface but still presents a risk in environments where administrators cannot be fully trusted or where privilege escalation from a lower-privileged user to admin is possible. The injected script could be triggered when any user (including lower-privileged users) accesses an injected page.

The impact of successful exploitation is the execution of arbitrary JavaScript in the browser of a user viewing the compromised admin page. This can be used to hijack sessions, perform actions on behalf of the victim, steal sensitive information, or deface the admin interface [1]. The vulnerability is rated Medium severity (CVSS v3 score 4.4).

As of the vulnerability's publication date, the vendor has not released a patched version beyond 2.4.14. Users are advised to restrict administrator access to trusted individuals, disable the plugin on multisite installations where possible, or apply a web application firewall rule to block malicious input patterns. No workaround is provided by the vendor.