CVE-2025-7732
Description
The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin’s JavaScript registration handlers read the client‑supplied 'data-video-title' and 'href' attributes, decode HTML entities by default, and pass them directly into DOM sinks without any escaping or validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Lazy Load for Videos plugin ≤2.18.7 allows contributors+ to inject arbitrary scripts via unescaped title/href attributes.
The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.18.7. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's JavaScript handlers. Specifically, the handlers read the client-supplied data-video-title and href attributes, decode HTML entities by default, and then directly pass the decoded content into DOM sinks without any escaping or validation [1].
An attacker must have at least Contributor-level access to the WordPress site to exploit this vulnerability. By injecting malicious JavaScript into the data-video-title or href attributes of plugin elements, the attacker can cause arbitrary web scripts to execute when any user views the affected page. No additional privileges or network position are required beyond authenticated access with Contributor capabilities [1].
Successful exploitation allows the attacker to inject and execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information, or further compromise of the WordPress site. The impact is typical of stored XSS vulnerabilities, where the malicious payload persists across page loads and affects all visitors [1].
As of the publication date, users are advised to update the plugin to a patched version if available. The vendor may have released a fix addressing the input sanitization and output escaping issues. No workarounds are mentioned in the available reference, so updating is the primary mitigation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.18.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/lazy-load-for-videos/trunk/public/js/lazyload-vimeo.jsnvd
- plugins.trac.wordpress.org/browser/lazy-load-for-videos/trunk/public/js/lazyload-youtube.jsnvd
- plugins.trac.wordpress.org/changeset/3348894nvd
- wordpress.org/plugins/lazy-load-for-videos/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9d28bd7d-ad3f-4720-9e09-466169fc672bnvd
News mentions
0No linked articles in our index yet.