Steve Truman

Thanks @emswpuser

First I’ve heard of this and I can see why Patchstack has not notified us directly and discreetly as they normally do when a vulnerability is reported. From the Patchstack link you posted, this appears to be a theoretical report as there is no proof-of-concept. The patchstack link you shared states:

“Solutions –This security issue has a low severity impact and is unlikely to be exploited.“

I’ve reviewed the public advisory which currently contains only a generic CSRF classification with that low severity and no proof-of-concept or affected endpoint. I’ve reached out to Patchstack for exact reproduction steps so we can evaluate and, if needed, issue a fix. If you have any additional technical details (endpoint, parameters, required state), please share so we can verify promptly.

Steve

@jvmd

Thanks for the clarification that you’re using WP Courseware. That helps.

a3 Lazy Load works by replacing video embeds (like YouTube/Vimeo iframes) with a placeholder thumbnail until the user scrolls. It’s possible that WP Courseware’s video gating logic is expecting the video iframe to be present right away — and when it’s lazy-loaded, their access check or play trigger doesn’t work.

Could you share a link to a lesson (even on a staging site) where we can see the issue? That would help us investigate a possible compatibility setting or exclusion rule for WP Courseware video blocks.

In the meantime, you could run a test by disabling lazy load for videos (via the plugin settings) to confirm that resolves the issue temporarily.

Thank you – Steve

Updated just 3 months ago – Tested and tag up to WordPress 6.7.1

Actively maintained for over a decade.

20,000 active uses and 2 support requests in the last 6 months that we did not get to.

What makes you think its abandoned?

Do you have an issue with the plugin that you need help with?

What makes you think that a3 Lazy Load is causing that issue?

@ritapalopoli

Please give me link to your site where I can see this happening.

Steve

Hello @utahcoffee

This is a very strange post. I am the plugin author and am not aware of this. Please tell me more?

Steve

Hello @davsvatos

Thanks for posting the warning messages – most helpful.

The warning message you’re seeing is related to a PHP configuration issue on your web server. Specifically, it’s about the open_basedir restriction, which is a security directive in PHP’s configuration that limits the files that can be opened by PHP to the specified directory-tree.

The message indicates that a PHP script is trying to access a file (/pvc_mixins.less) that is not within the allowed path(s) specified by the open_basedir directive. The allowed path(s) in your case is /data/web/virtuals/281706/virtual, but the script is attempting to access a file outside of this directory.

Here’s how you can address the issue:

1. Review the PHP Configuration: The open_basedir setting is specified in your PHP configuration file (php.ini), or it might be set at runtime using the ini_set() function. You’ll need to check where the restriction is being set. If you have access to the php.ini file, you can modify the open_basedir directive to include the path where /pvc_mixins.less is located.

2. Adjust the open_basedir Path: You need to add the path to the directory containing the /pvc_mixins.less file to your open_basedir directive. Make sure you separate multiple paths with a colon (:) on Unix/Linux systems or a semicolon (;) on Windows.
OR
3. Contact Hosting Provider: If you’re on shared hosting or don’t have access to modify the php.ini file directly, you may need to contact your hosting provider for assistance. They can adjust the open_basedir settings for you.

I hope that helps you.

Steve