MEDIUM
a3rev
CVE published 2026-05-28
CVE-2026-6427
A stored cross-site scripting (XSS) vulnerability in the a3 Lazy Load WordPress plugin allows authenticated attackers with Contributor-level access to inject and execute arbitrary JavaScript in the browsers of users viewing affected posts. The vulnerability stems from a regex bug in the `_filter_videos()` method that mishandles HTML attribute quoting when processing crafted `<video>` elements, combined wi [truncated]