cleantalk
Vulnerabilities and Security Researches

Autoptimize, CVE-2025-13401

CVE, Research URL

CVE-2025-13401

Home page URL

Security reports for Autoptimize

Application

Autoptimize

Published on
Dec 03, 2025
Research Description
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.1.14.
Status
vulnerable
Previous vulnerability researches
SKT Skill Bar (CVE-2025-66090) , Dec 11, 2025
SKT Skill Bar (CVE-2024-38698) , Jul 15, 2024
SKT Skill Bar (CVE-2025-47482) , May 09, 2025
SKT Skill Bar (CVE-2025-26880) , Apr 15, 2025
New vulnerability
Document Library Lite (CVE-2025-67986) , Jan 09, 2026
Document Library Lite (CVE-2025-67985) , Jan 09, 2026
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2025-13642) , Jan 09, 2026
Ultimate FAQ – WordPress FAQ and Accordion Plugin (CVE-2025-67590) , Jan 09, 2026
Import CSV or XML Datafeed With Ease (CVE-2025-14627) , Jan 09, 2026