CVE-2026-3220

HIGH 8.8

Multiple Plugins - Unauthenticated Stored XSS via Minify Library

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

8th

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

Vendor	unknown
Product	autoptimize
Published	May 18, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for unknown autoptimize

Be the first to know when new high vulnerabilities affecting unknown autoptimize are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Autoptimize

0 < 3.1.15

Unknown / Clearfy Cache

0 < 2.4.2

Unknown / Speed Optimizer

0 < 7.7.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/

Credits

Matthew Rollings WPScan