The vulnerability exists in the Autoptimize, Clearfy Cache, and Speed Optimizer WordPress plugins where the minification routine uses a predictable replacement hash and a poorly constructed regular expression. This flaw permits an attacker to inject arbitrary HTML attributes into the final page output, resulting in a stored cross‑site scripting (XSS) flaw that can persistently affect every visitor to the site. The injected content is rendered in the context of the user’s browser, enabling potential session hijacking, credential theft, or manipulation of site appearance. The weakness is classified as CWE‑79.

WordPress installations that employ Autoptimize versions earlier than 3.1.15, Clearfy Cache earlier than 2.4.2, or Speed Optimizer earlier than 7.7.9 are susceptible. These third‑party plugins are widely distributed through the WordPress ecosystem and are commonly found on both personal blogs and corporate sites, so the potential impact span could be broad.

The flaw can be triggered without authentication, as any unauthenticated input that comes through the minification process—such as plugin configuration fields or comment submissions—may be exploited. No official exploit has yet been published and the EPSS score is not available, but the simplicity of injecting markup suggests that attackers could craft manual or automated payloads quickly. Because the XSS is stored, every site visitor becomes a potential victim. Although the vulnerability is not listed in the CISA KEV catalog, the lack of an EPSS score does not negate the risk of widespread exploitation by determined adversaries.