Stored Cross-Site Scripting in Lazy Load for Videos Plugin by WordPress
CVE-2025-7732

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Lazy Load For Videos
Vendor: CVE Published:; 27 August 2025

What is CVE-2025-7732?

The Lazy Load for Videos plugin for WordPress has a vulnerability that allows authenticated users, with Contributor-level and higher access, to perform stored Cross-Site Scripting (XSS) attacks. This is due to inadequate input sanitization and output escaping mechanisms in the plugin's lazy-loading handlers. Specifically, the plugin directly uses the 'data-video-title' and 'href' attributes from client input after decoding HTML entities, allowing injected JavaScript code to execute in the user's browser when they visit the compromised pages. Mitigation requires immediate updates to the plugin and practices for validating input and sanitizing output.

Affected Version(s)

Lazy Load for Videos * <= 2.18.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/lazy-load-for-...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 27, 2025
Vulnerability Reserved
Jul 16, 2025

Credit

Craig Smith