CVE-2026-2430
Stored XSS in Autoptimize WordPress Plugin via Lazy-Loading Images
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| futtta | autoptimize | to 3.1.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Autoptimize plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its lazy-loading image processing in all versions up to and including 3.1.14.
This vulnerability arises because the function responsible for adding lazy loading to images uses an overly permissive regular expression that replaces all occurrences of "\ssrc=" in image tags without properly limiting the replacement to the actual attribute.
As a result, an authenticated attacker with Contributor-level access or higher can craft an image tag where the src URL contains a space followed by "src=", which breaks the HTML structure and allows injection of arbitrary web scripts.
These injected scripts execute whenever a user accesses the compromised page, enabling stored XSS attacks.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Contributor-level access or above to inject malicious scripts into pages via crafted image tags.
When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim.
The CVSS v3.1 base score of 6.4 indicates a medium severity impact with low attack complexity but requiring privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the HTML content of pages generated by the Autoptimize plugin for WordPress, specifically looking for image tags where the src attribute contains a space followed by src=, which breaks the HTML structure.'}, {'type': 'paragraph', 'content': "Since the issue arises from an overly permissive regular expression in the add_lazyload function that replaces occurrences of ' src=' in image tags, detection can involve searching for suspicious image tags with malformed src attributes."}, {'type': 'list_item', 'content': 'Use command-line tools like grep or curl combined with grep to fetch and scan pages for suspicious patterns, for example:'}, {'type': 'list_item', 'content': 'curl -s https://yourwordpresssite.com/page | grep -oP \'<img[^>]*src="[^"]* src=\''}, {'type': 'list_item', 'content': "Or scan stored posts or pages in the WordPress database for image tags containing ' src=' sequences that could indicate injected payloads."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Autoptimize plugin to a version that includes the fix for this vulnerability.
The fix involves replacing the vulnerable regular expression-based lazy loading implementation with a safer string replacement approach that avoids the regex issue.
If updating is not immediately possible, consider disabling the lazy-loading feature in the Autoptimize plugin to prevent exploitation.
Additionally, restrict Contributor-level and higher user permissions to trusted users only, as exploitation requires authenticated access at that level.