Description
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.
Published: 2026-03-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via lazy‑load image attributes
Action: Patch
AI Analysis

Impact

The Autoptimize WordPress plugin contains an overly permissive regular expression in its lazy‑loading image routine that indiscriminately replaces every occurrence of the string " src=" within image tags. When a user with Contributor access or higher crafts an image tag whose src URL contains a space followed by "src=", the regex corrupts the HTML structure, allowing arbitrary script content to be injected into authorisable pages. Once a victim visitor loads such a page, the injected script executes in their browser, enabling theft of session cookies, credential compromise, or other client‑side attacks. This is a classic stored cross‑site scripting vulnerability that affects only sites where the attacker can create or modify content, but can impact all users who view that content.

Affected Systems

WordPress sites that have installed the Autoptimize plugin version 3.1.14 or earlier, provided the site allows users with Contributor or higher roles to add or edit media or posts. The vendor is "optimizingmatters:Autoptimize"; any installation of the affected plugin will be susceptible if the relevant content can be injected by an authenticated contributor. Administrators who restrict contributor access or disable lazy‑load features may reduce exposure, but the fundamental flaw remains until a patch is applied.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity. No EPSS score is available, and it is not listed in the CISA KEV catalog. Exploitation requires authenticated access with at least Contributor privileges, meaning the threat is limited to users who can add or edit content. Once such a user injects malicious code, the impact extends to all site visitors who access the compromised page. The attack vector is via crafted image URLs inserted into content, making the flaw relatively straightforward for an authorized user to use.

Generated by OpenCVE AI on March 21, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Autoptimize to version 3.1.15 or newer.
  • Remove any existing images or content that may contain injected scripts, particularly those added by contributors.
  • If possible, restrict Contributor or higher roles from adding media that could be used for XSS via lazy‑loading, or temporarily disable the lazy‑loading feature until a patch is applied.

Generated by OpenCVE AI on March 21, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Optimizingmatters
Optimizingmatters autooptimize
Wordpress
Wordpress wordpress
Vendors & Products Optimizingmatters
Optimizingmatters autooptimize
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.
Title Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Optimizingmatters Autooptimize
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:09.590Z

Reserved: 2026-02-12T21:12:58.849Z

Link: CVE-2026-2430

cve-icon Vulnrichment

Updated: 2026-03-23T18:27:11.711Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T00:16:26.053

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:33Z

Weaknesses