CVE-2026-3220
Deferred Deferred - Pending Action
Stored XSS in Autoptimize WordPress Plugin

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: WPScan

Description
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-3220
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
autoptimize autoptimize 3.1.15
clearfy clearfy 2.4.2
sg-cachepress sg-cachepress 7.7.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3220 is a vulnerability affecting multiple WordPress plugins including Autoptimize, Clearfy Cache, and Speed Optimizer. It is an unauthenticated stored Cross-Site Scripting (XSS) flaw caused by a predictable replacement hash used during the HTML minification process combined with a flawed regular expression. This weakness allows an attacker to inject arbitrary HTML attributes into the final HTML output by anticipating the placeholder format used in the minification.

Impact Analysis

This vulnerability can have a high impact as it allows attackers to execute arbitrary HTML or script code in the context of the affected website without authentication. This can lead to theft of user data, session hijacking, defacement of the website, or distribution of malicious content. The CVSS score of 8.8 indicates a high severity, meaning the risk to confidentiality, integrity, and availability is significant.

Mitigation Strategies

To mitigate this vulnerability, immediately update the affected WordPress plugins to their fixed versions:

  • Update Autoptimize plugin to version 3.1.15 or later.
  • Update Clearfy Cache plugin to version 2.4.2 or later.
  • Update Speed Optimizer (sg-cachepress) plugin to version 7.7.9 or later.

These updates address the unauthenticated stored Cross-Site Scripting vulnerability caused by a predictable replacement hash and flawed regular expression during HTML minification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart