A3 Lazy Load WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the A3 Lazy Load plugin for WordPress, affecting all versions up to and including 2.7.6. The issue arises from a regular expression error in the '_filter_videos()' method, which improperly handles HTML attribute quoting in crafted <video> elements. This flaw, combined with unescaped output in the 'admin/views/form-data.php' template, allows an authenticated attacker with Contributor-level access to inject a malicious <video> tag. The injected script executes in the browser of any user, including administrators, who views the post.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can insert a crafted <video> tag into a post. The <video> tag must include a source attribute that contains an embedded class substring, which exploits the plugin's class-replacement regular expression. Once the post is published, the injected script will execute in the browser of any user who views the post.

Remediation

Users are advised to update the A3 Lazy Load plugin to version 2.7.8, which addresses the cross-site scripting vulnerability.