PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6427 a3rev CVE debrief

A stored cross-site scripting (XSS) vulnerability in the a3 Lazy Load WordPress plugin allows authenticated attackers with Contributor-level access to inject and execute arbitrary JavaScript in the browsers of users viewing affected posts. The vulnerability stems from a regex bug in the `_filter_videos()` method that mishandles HTML attribute quoting when processing crafted `<video>` elements, combined with unescaped output in `admin/views/form-data.php`. An attacker can craft a `<video>` tag with a `src` attribute containing an embedded `class=` substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This boundary shift promotes attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (`autofocus`, `onfocus`), enabling script execution. The vulnerability affects all versions up to and including 2.7.6. The issue was disclosed on 2026-05-28 with a CVSS 3.1 score of 6.4 (Medium severity).

Vendor
a3rev
Product
a3 Lazy Load
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using the a3 Lazy Load plugin, security teams managing WordPress installations, and developers maintaining plugins with regex-based HTML filtering functionality

Technical summary

The a3 Lazy Load plugin for WordPress contains a stored XSS vulnerability (CVSS 6.4, Medium) in versions up to and including 2.7.6. The flaw exists in the `_filter_videos()` method where a regex bug mishandles HTML attribute quoting during `<video>` element processing, coupled with unescaped output in `admin/views/form-data.php`. An authenticated attacker with Contributor privileges can craft a `<video>` tag whose `src` attribute contains an embedded `class=` substring. This malformed input tricks the plugin's class-replacement regex into consuming an attribute-value closing quote, shifting the HTML5 parser's quote boundary. The attacker's controlled text is then promoted from inside a quoted attribute value into standalone event-handler attributes such as `autofocus` and `onfocus`, causing script execution in browsers of any user viewing the post, including administrators. The vulnerability was disclosed on 2026-05-28 and fixed in version 2.7.7.

Defensive priority

medium

Recommended defensive actions

  • Upgrade a3 Lazy Load plugin to version 2.7.7 or later to remediate the regex bug in `_filter_videos()` and unescaped output in `admin/views/form-data.php`
  • Review and restrict Contributor-level user permissions where possible, as this vulnerability requires authenticated access at that privilege level
  • Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS that may exist in cached content before patching
  • Audit existing posts for suspicious `<video>` tags with malformed `src` attributes containing `class=` substrings that may indicate prior exploitation attempts
  • Enable output encoding and context-aware escaping for all user-supplied content rendered in administrative templates
  • Consider implementing additional input validation for HTML element attributes processed by regex-based filtering functions

Evidence notes

The vulnerability description identifies the root cause as a regex bug in `_filter_videos()` that breaks HTML attribute quoting when processing crafted `<video>` elements, combined with unescaped output in `admin/views/form-data.php`. The attack requires Contributor-level authentication and involves crafting a `<video>` tag with a malicious `src` attribute structure. Multiple source references point to specific line numbers in the WordPress plugin repository Trac browser for both the vulnerable template file and the class file containing the flawed regex logic. A changeset reference indicates the fix was implemented between versions 2.7.6 and 2.7.7.

Official resources

2026-05-28