cleantalk
Vulnerabilities and Security Researches

Autoptimize, CVE-2026-2430

CVE, Research URL

CVE-2026-2430

Home page URL

Security reports for Autoptimize

Application

Autoptimize

Published on
Mar 21, 2026
Research Description
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.
Affected versions
max 3.1.15.
Status
vulnerable
Previous vulnerability researches
Autoptimize (CVE-2026-2430) , Apr 14, 2026
Autoptimize (CVE-2026-2352) , Apr 14, 2026
Autoptimize (CVE-2025-13401) , Jan 09, 2026
Autoptimize (CVE-2021-24332) , Jun 07, 2024
Autoptimize (CVE-2020-24948) , Jun 07, 2024
New vulnerability
Electric Studio Download Counter (CVE-2026-0741) , Apr 17, 2026
Custom New User Notification (CVE-2026-3551) , Apr 17, 2026
3D viewer – Embed 3D Models on WordPress (CVE-2026-40729) , Apr 17, 2026
Customer Reviews for WooCommerce (CVE-2026-3355) , Apr 17, 2026
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2026-3489) , Apr 17, 2026