The Lazy Load for Videos plugin for WordPress, maintained by kevinweber, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-7732. This vulnerability stems from the plugin's failure to properly sanitize and escape user-supplied input in the 'data-video-title' and 'href' HTML attributes, which are processed by the plugin's JavaScript lazy-loading handlers. Specifically, these attributes are decoded from HTML entities and directly inserted into the DOM without any escaping or validation, allowing malicious scripts to be stored persistently. An attacker with Contributor-level or higher privileges on the WordPress site can exploit this by injecting arbitrary JavaScript code into pages that will execute in the browsers of any users who view those pages, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability affects all versions up to and including 2.18.7. The CVSS 3.1 base score is 6.4, indicating a medium severity with network attack vector, low complexity, requiring privileges but no user interaction, and partial impact on confidentiality and integrity. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or public-facing content. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. The weakness is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any visitors or administrators viewing the infected content. The impact includes potential theft of session cookies, user impersonation, unauthorized actions performed on behalf of users, defacement, and distribution of malware. Since the vulnerability affects the confidentiality and integrity of user data and site content, it can undermine trust and lead to reputational damage. Although availability is not directly impacted, the indirect consequences of exploitation could disrupt normal site operations. Organizations with multi-user WordPress environments, especially those allowing contributors to add or edit content, are at higher risk. The medium CVSS score reflects that exploitation requires authenticated access but is otherwise straightforward, making it a credible threat. The lack of known exploits in the wild reduces immediate risk but does not eliminate the need for remediation.

To mitigate this vulnerability, organizations should first update the Lazy Load for Videos plugin to a version that addresses this issue once available. In the absence of an official patch, administrators can implement strict input validation and output escaping for the 'data-video-title' and 'href' attributes within the plugin's code or via custom filters/hooks in WordPress. Limiting Contributor-level permissions to trusted users reduces the attack surface. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting these attributes can provide additional protection. Regularly auditing user-generated content for suspicious scripts and monitoring logs for unusual activity is recommended. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Finally, educating content contributors about safe input practices and the risks of injecting untrusted content can reduce accidental exploitation.