Does BJ Lazy Load have any unpatched vulnerabilities?

No. All known vulnerabilities in BJ Lazy Load have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is BJ Lazy Load compatible with WordPress 4.9.29?

According to WordPress.org data, BJ Lazy Load 1.0.9 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is BJ Lazy Load updated?

BJ Lazy Load was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is BJ Lazy Load's security score?

BJ Lazy Load has a WP-Safety security score of 83/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

BJ Lazy Load Security & Risk Analysis

wordpress.org/plugins/bj-lazy-load

Lazy loading for images and iframes makes your site load faster and saves bandwidth. Uses no external JS libraries and degrades gracefully for non-js …

20K active installs v1.0.9 PHP + WP 3.5+ Updated Nov 28, 2017

iframesimagesjavascriptlazy-loadingoptimize

B · Generally Safe

CVEs total1

Unpatched0

Last CVESep 2, 2015

Plugin page Download

Safety Verdict

Is BJ Lazy Load Safe to Use in 2026?

Mostly Safe

Score 83/100

BJ Lazy Load is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved. Keep it updated.

1 known CVELast CVE: Sep 2, 2015Updated 8yr ago

Risk Assessment

The "bj-lazy-load" plugin v1.0.9 exhibits a mixed security posture. While the static analysis shows a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected, this is overshadowed by significant code-level concerns and a concerning vulnerability history. The presence of a dangerous function like "unserialize" without clear context on its usage and sanitization is a red flag. Furthermore, the taint analysis reveals a critical issue: 4 out of 4 analyzed flows have unsanitized paths, all with high severity. This strongly suggests potential vulnerabilities that could allow attackers to manipulate file paths or execute arbitrary code if these flows are exposed to user input. The plugin's vulnerability history is also concerning, with one critical historical CVE categorized as PHP Remote File Inclusion, indicating past exploitable weaknesses. Although this specific CVE is currently patched, it points to a pattern of potentially insecure coding practices that could resurface or manifest in new ways. The lack of capability checks and a low percentage of properly escaped outputs further add to the security concerns. In conclusion, despite a seemingly small attack surface, the plugin has significant underlying code quality issues and a history that warrants caution.

Key Concerns

High severity unsanitized taint flows (4)
Dangerous function unserialize used
SQL queries without prepared statements (4)
Low percentage of properly escaped output (41%)
No capability checks
Critical historical CVE (PHP Remote File Inclusion)

Vulnerabilities

BJ Lazy Load Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2015-9415critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

BJ Lazy Load < 1.0 - Remote File Inclusion via TimThumb

Sep 2, 2015 Patched in 1.0 (3065d)

Code Analysis

Analyzed Mar 16, 2026

BJ Lazy Load Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize( $form_data['_error_data_' . $this->id ] );inc\scb\PostMetabox.php:75

SQL Query Safety

0% prepared4 total queries

Output Escaping

41% escaped29 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths

form_handler (inc\scb\AdminPage.php:195)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

BJ Lazy Load Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 35

actionplugins_loadedbj-lazy-load.php:43

actionadd_meta_boxesinc\class-bjll-skip-post.php:27

actionsave_postinc\class-bjll-skip-post.php:28

filterbj_lazy_load_run_filterinc\class-bjll-skip-post.php:30

actionwpinc\class-bjll.php:36

actionwp_enqueue_scriptsinc\class-bjll.php:63

actionwp_enqueue_scriptsinc\class-bjll.php:64

filterbjll/filterinc\class-bjll.php:122

filterbjll/filterinc\class-bjll.php:126

filterthe_contentinc\class-bjll.php:130

filterwidget_textinc\class-bjll.php:134

filterpost_thumbnail_htmlinc\class-bjll.php:138

filterget_avatarinc\class-bjll.php:142

filterbj_lazy_load_htmlinc\class-bjll.php:145

filterbjll/enabledinc\compat\mobilepress.php:5

actionbjll/compatinc\compat\mobilepress.php:9

filterbjll/enabledinc\compat\opera-mini.php:5

actionbjll/compatinc\compat\opera-mini.php:9

filterbjll/enabledinc\compat\wp-print.php:5

actionbjll/compatinc\compat\wp-print.php:9

filterbjll/enabledinc\compat\wptouch.php:5

actionbjll/compatinc\compat\wptouch.php:9

action_admin_menuinc\scb\AdminPage.php:58

actionadmin_initinc\scb\AdminPage.php:116

actionadmin_noticesinc\scb\AdminPage.php:118

actionadmin_menuinc\scb\AdminPage.php:121

filtercontextual_helpinc\scb\AdminPage.php:122

filtercron_schedulesinc\scb\Cron.php:57

actionactivate_plugininc\scb\load.php:32

actionplugins_loadedinc\scb\load.php:38

actionload-post.phpinc\scb\PostMetabox.php:30

actionload-post-new.phpinc\scb\PostMetabox.php:31

actionadd_meta_boxesinc\scb\PostMetabox.php:44

actionsave_postinc\scb\PostMetabox.php:45

actionwidgets_initinc\scb\Widget.php:13

Maintenance & Trust

BJ Lazy Load Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedNov 28, 2017

PHP min version

Downloads851K

Community Trust

Rating84/100

Number of ratings90

Active installs20K

Alternatives

BJ Lazy Load Alternatives

Dominant Colors Lazy Loading

dominant-colors-lazy-loading

This plugin allows you to lazy load your images while showing the dominant color of each image as a placeholder – like Pinterest or Google Images.

100 No CVEs

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

wp-smushit

Optimize and compress images with lossless and lossy compression, lazy load, WebP & AVIF conversion, and global image CDN.

1.0M 6 CVEs

Autoptimize

autoptimize

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

900K 10 CVEs

Converter for Media – Optimize images | Convert WebP & AVIF

webp-converter-for-media

Speed up your website by using our WebP & AVIF Converter. Optimize images and serve WebP and AVIF images instead of standard formats!

500K 4 CVEs

Developer Profile

BJ Lazy Load Developer Profile

Bjørn Johansen

7 plugins · 20K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

3065 days

View full developer profile

Detection Fingerprints

How We Detect BJ Lazy Load

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bj-lazy-load/js/bj-lazy-load.min.js

Script Paths