CVE-2026-6427

Vulnerability

The vulnerability resides in the _filter_videos() method of the a3 Lazy Load plugin (versions up to and including 2.7.6). A regex bug in the method fails to properly handle crafted ` elements, breaking HTML attribute quoting. When the plugin processes a tag with a src attribute containing an embedded class=" substring, the class-replacement regex consumes an attribute-value closing quote, shifting the HTML parser's quote boundary. This allows attacker-controlled text from inside a quoted attribute value to become standalone event-handler attributes such as autofocus and onfocus. The unescaped output in the admin/views/form-data.php` template exacerbates the issue. [1]

Exploitation

An authenticated attacker with at least Contributor-level access can insert a crafted ` tag into a post or page. The crafted tag's src attribute includes a class=" substring that tricks the plugin's regex. The attacker also includes malicious event handler attributes (e.g., onfocus`) that become active after the quote boundary shift. No additional user interaction is required beyond viewing the post. [1]

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The injected script executes in the browser of any user who views the affected post, including administrators. This can result in session hijacking, credential theft, or other malicious actions within the WordPress admin context. The attacker gains the ability to execute arbitrary JavaScript in the context of the victim's session. [1]

Mitigation

As of the publication date (2026-05-28), no patched version has been released. Users should disable the plugin until a fix is available. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]