cleantalk
Vulnerabilities and Security Researches

Autoptimize, CVE-2026-3220

CVE, Research URL

CVE-2026-3220

Home page URL

Security reports for Autoptimize

Application

Autoptimize

Published on
May 18, 2026
Research Description
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
Affected versions
max 3.1.15.
Status
vulnerable
Previous vulnerability researches
AI Moderator for BuddyPress (c5199662169f8022d0a0bdb6a709c2dd4e56fd11) , Jun 07, 2024
New vulnerability
WP Learn Manager (CVE-2021-47975) , May 19, 2026
Autoptimize (CVE-2026-3220) , May 19, 2026
Feeds for YouTube (YouTube video, channel, and gallery plugin) (CVE-2026-1631) , May 19, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-6381) , May 19, 2026
BuddyPress (CVE-2020-37233) , May 19, 2026