WP-Safety

Lazy Load for Videos Security & Risk Analysis

wordpress.org/plugins/lazy-load-for-videos

Boost page speed by replacing embedded YouTube and Vimeo videos with a clickable preview image. Video scripts only load on click.

10K active installs v2.18.9 PHP 7.2+ WP 5.6+ Updated Aug 23, 2025
lazy-loadperformanceprivacyvimeoyoutube
98
A · Safe
CVEs total2
Unpatched0
Last CVEAug 26, 2025
Plugin page Download
Safety Verdict

Is Lazy Load for Videos Safe to Use in 2026?

Generally Safe

Score 98/100

Lazy Load for Videos has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 26, 2025Updated 7mo ago
Risk Assessment

The "lazy-load-for-videos" plugin v2.18.9 demonstrates some good security practices, such as using prepared statements for all SQL queries and performing nonce checks. However, a significant concern arises from its vulnerability history, which includes two medium-severity CVEs, specifically Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The fact that these vulnerabilities were present indicates a need for more robust input validation and output escaping, especially considering that only 62% of outputs are properly escaped. The absence of any critical or high-severity vulnerabilities in its history is positive, and the fact that there are currently no unpatched vulnerabilities is also reassuring. The plugin also has a remarkably small attack surface, with no apparent unprotected entry points, which is a strong positive security signal.

Key Concerns

  • Medium severity CVEs in history (XSS, CSRF)
  • Significant portion of outputs not properly escaped
  • No capability checks implemented
Vulnerabilities
2

Lazy Load for Videos Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-7732medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lazy Load for Videos <= 2.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes

Aug 26, 2025 Patched in 2.18.8 (1d)
CVE-2023-45656medium · 4.3Cross-Site Request Forgery (CSRF)

Lazy Load for Videos <= 2.18.2 - Cross-Site Request Forgery

Oct 12, 2023 Patched in 2.18.3 (103d)
Code Analysis
Analyzed Mar 16, 2026

Lazy Load for Videos Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
20 prepared
Unescaped Output
16
26 escaped
Nonce Checks
4
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared20 total queries

Output Escaping

62% escaped42 total outputs
Attack Surface

Lazy Load for Videos Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 40
actioninitcodeispoetry.php:68
actioninitcodeispoetry.php:76
actioninitcodeispoetry.php:98
actioninitcodeispoetry.php:100
actionadmin_initsrc\php\class-admin-options.php:7
actionadmin_enqueue_scriptssrc\php\class-admin-options.php:8
filteroembed_dataparsesrc\php\class-admin-options.php:10
actionadmin_menusrc\php\class-admin-options.php:11
actionenqueue_block_editor_assetssrc\php\class-editor.php:10
actionwp_enqueue_scriptssrc\php\class-frontend.php:112
actionadd_meta_boxessrc\php\class-meta.php:11
actionsave_postsrc\php\class-meta.php:12
actionsave_postsrc\php\class-register.php:49
actionadmin_noticessrc\php\class-register.php:56
actioninitsrc\php\class-register.php:101
filtertablepress_cell_contentsrc\php\inc\support_for_tablepress.php:6
filtertablepress_cell_contentsrc\php\inc\support_for_tablepress.php:7
filterwidget_textsrc\php\inc\support_for_widgets.php:6
filterwidget_textsrc\php\inc\support_for_widgets.php:7
filterwoocommerce_product_export_skip_meta_keyssrc\php\inc\support_for_woocommerce_csv_export.php:21
actioninittrunk\codeispoetry.php:68
actioninittrunk\codeispoetry.php:76
actioninittrunk\codeispoetry.php:98
actioninittrunk\codeispoetry.php:100
actionadmin_inittrunk\src\php\class-admin-options.php:7
actionadmin_enqueue_scriptstrunk\src\php\class-admin-options.php:8
filteroembed_dataparsetrunk\src\php\class-admin-options.php:10
actionadmin_menutrunk\src\php\class-admin-options.php:11
actionenqueue_block_editor_assetstrunk\src\php\class-editor.php:10
actionwp_enqueue_scriptstrunk\src\php\class-frontend.php:112
actionadd_meta_boxestrunk\src\php\class-meta.php:11
actionsave_posttrunk\src\php\class-meta.php:12
actionsave_posttrunk\src\php\class-register.php:49
actionadmin_noticestrunk\src\php\class-register.php:56
actioninittrunk\src\php\class-register.php:101
filtertablepress_cell_contenttrunk\src\php\inc\support_for_tablepress.php:6
filtertablepress_cell_contenttrunk\src\php\inc\support_for_tablepress.php:7
filterwidget_texttrunk\src\php\inc\support_for_widgets.php:6
filterwidget_texttrunk\src\php\inc\support_for_widgets.php:7
filterwoocommerce_product_export_skip_meta_keystrunk\src\php\inc\support_for_woocommerce_csv_export.php:21
Maintenance & Trust

Lazy Load for Videos Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 23, 2025
PHP min version7.2
Downloads447K

Community Trust

Rating88/100
Number of ratings105
Active installs10K
Alternatives

Lazy Load for Videos Alternatives

WP YouTube Lyte

WP YouTube Lyte

wp-youtube-lyte

A
98

High performance YouTube video, playlist and audio-only embeds which don't slow down your blog and offer optimal accessibility.

30K 2 CVEs
Simple Lazy Load Videos

Simple Lazy Load Videos

simple-lazy-load-videos

A
100

Simple Lazy Load for embedded video from YouTube and Vimeo

300 No CVEs
Velocity – Video Lazy Loading for YouTube, Twitch and Vimeo

Velocity – Video Lazy Loading for YouTube, Twitch and Vimeo

velocity

A
85

Improve website performance by lazy loading and customizing your YouTube, Vimeo, Twitch and SoundCloud media embeds.

300 No CVEs
YEP: Optimize YouTube Embeds

YEP: Optimize YouTube Embeds

yep-youtube-embed

A
100

Short Description: Load YouTube videos faster by replacing iframes with a preview image; the video plays only when clicked play.

300 No CVEs
Better Core Video Embeds

Better Core Video Embeds

better-core-video-embeds

A
100

A plugin which enhances the core embed block for Youtube, Daily Motion and Vimeo videos by not loading unnecessary scripts until they are needed.

200 No CVEs
Developer Profile

Lazy Load for Videos Developer Profile

kevinweber

1 plugin · 10K total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
52 days
View full developer profile
Detection Fingerprints

How We Detect Lazy Load for Videos

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/lazy-load-for-videos/src/js/admin-settings.js/wp-content/plugins/lazy-load-for-videos/src/css/admin-settings.css
Script Paths
/wp-content/plugins/lazy-load-for-videos/src/js/admin-settings.js
Version Parameters
/wp-content/plugins/lazy-load-for-videos/src/js/admin-settings.js?ver=/wp-content/plugins/lazy-load-for-videos/src/css/admin-settings.css?ver=

HTML / DOM Fingerprints

CSS Classes
llv-modal-video
HTML Comments
<!-- Plugin by Kevin Weber || www.kweber.com -->
Data Attributes
data-lazy-video-iddata-lazy-video-widthdata-lazy-video-heightdata-lazy-video-titledata-lazy-video-lazydata-lazy-video-type
JS Globals
KW_LLV_FrontendKW_LLV_Settings
FAQ

Frequently Asked Questions about Lazy Load for Videos