The a3 Lazy Load WordPress plugin contains a stored XSS vulnerability due to improper neutralization of input during web page generation. Specifically, a regex bug in the _filter_videos() method breaks HTML attribute quoting when processing crafted <video> elements. This bug, combined with unescaped output in the admin/views/form-data.php template, allows an authenticated attacker with Contributor-level access to inject a crafted <video> tag. The crafted tag's src attribute includes an embedded class=" substring that manipulates the plugin's class-replacement regex, causing the HTML5 parser to misinterpret quote boundaries. This promotes attacker-controlled text into standalone event-handler attributes such as autofocus and onfocus, enabling script execution in the browsers of users viewing the post. The vulnerability affects all versions up to 2.7.6. There is no vendor advisory or patch available at this time.

An attacker with Contributor-level access can inject persistent malicious scripts into posts via crafted <video> tags. These scripts execute in the browsers of any users who view the compromised posts, including administrators, potentially leading to session hijacking, privilege escalation, or other client-side attacks. The vulnerability does not affect availability but impacts confidentiality and integrity. The CVSS score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and no user interaction required.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and consider disabling or removing the a3 Lazy Load plugin if possible. Monitor for updates from the vendor and apply patches promptly once available.