CVE-2025-7732: 
WordPress vulnerability analysis and mitigation

The Lazy Load for Videos WordPress plugin (versions up to 2.18.7) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-7732). The vulnerability was discovered and disclosed on August 26, 2025. The plugin's JavaScript registration handlers insufficiently sanitize and validate input from 'data-video-title' and 'href' attributes, which are then passed directly into DOM sinks. This affects the plugin's lazy-loading functionality for video content (NVD).

The vulnerability stems from the plugin's lazy-loading handlers failing to properly sanitize and escape user input before processing it. Specifically, the handlers read client-supplied 'data-video-title' and 'href' attributes and decode HTML entities by default, then pass these values directly into DOM sinks without proper validation or escaping. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page containing the injected content. This could lead to client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 2.18.8 of the Lazy Load for Videos plugin. Site administrators are strongly advised to update to this latest version. The fix includes proper input sanitization and output escaping for the affected attributes (Wordfence).