cleantalk
Vulnerabilities and Security Researches

Autoptimize, CVE-2026-2352

CVE, Research URL

CVE-2026-2352

Home page URL

Security reports for Autoptimize

Application

Autoptimize

Published on
Mar 21, 2026
Research Description
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when the value is rendered into a `<link>` tag in `autoptimizeImages.php`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted the "Image optimization" or "Lazy-load images" setting is enabled in the plugin configuration.
Affected versions
max 3.1.15.
Status
vulnerable
Previous vulnerability researches
Autoptimize (CVE-2026-2430) , Apr 14, 2026
Autoptimize (CVE-2026-2352) , Apr 14, 2026
Autoptimize (CVE-2025-13401) , Jan 09, 2026
Autoptimize (CVE-2021-24332) , Jun 07, 2024
Autoptimize (CVE-2020-24948) , Jun 07, 2024
New vulnerability
Electric Studio Download Counter (CVE-2026-0741) , Apr 17, 2026
Custom New User Notification (CVE-2026-3551) , Apr 17, 2026
3D viewer &#8211; Embed 3D Models on WordPress (CVE-2026-40729) , Apr 17, 2026
Customer Reviews for WooCommerce (CVE-2026-3355) , Apr 17, 2026
DirectoryPress &#8211; Business Directory And Classified Ad Listing (CVE-2026-3489) , Apr 17, 2026