cleantalk
Vulnerabilities and Security Researches

Autoptimize, CVE-2026-3220

CVE, Research URL

CVE-2026-3220

Home page URL

Security reports for Autoptimize

Application

Autoptimize

Published on
May 18, 2026
Research Description
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
Affected versions
max 3.1.15.
Status
vulnerable
Previous vulnerability researches
WP Learn Manager (CVE-2021-47975) , May 19, 2026
WP Learn Manager (CVE-2021-24504) , Jun 10, 2024
New vulnerability
WP Photo Album Plus (CVE-2026-6379) , May 20, 2026
The Ultimate Video Player For WordPress – by Presto Player (CVE-2026-45442) , May 19, 2026
WP Learn Manager (CVE-2021-47975) , May 19, 2026
Autoptimize (CVE-2026-3220) , May 19, 2026
Feeds for YouTube (YouTube video, channel, and gallery plugin) (CVE-2026-1631) , May 19, 2026