CVE-2026-3220

Vulnerability

Overview

The Autoptimize (before 3.1.15), Clearfy Cache (before 2.4.2), and Speed Optimizer (before 7.7.9) WordPress plugins are affected by an unauthenticated stored cross-site scripting (XSS) vulnerability. The root cause lies in the HTML minification process: these plugins use a predictable replacement hash for placeholders during minification, and an attacker can abuse a regular expression to inject arbitrary HTML attributes into the final output [1].

Exploitation

An unauthenticated attacker can craft a request containing malicious HTML attributes that, when processed by the minification routine, are inserted into the page's HTML. Because the placeholder format is deterministic, the attacker can anticipate the hash and ensure the injected attributes are rendered in the browser. No authentication or special privileges are required; the attack can be performed via any user-submitted content that passes through the minification pipeline (e.g., comments, posts) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser. This can lead to session hijacking, website defacement, redirection to malicious sites, or theft of sensitive information. Since the XSS is stored, the malicious payload persists and affects all visitors to the affected page [1].

Mitigation

The vendors have released patched versions: Autoptimize 3.1.15, Clearfy Cache 2.4.2, and Speed Optimizer 7.7.9. Users are strongly advised to update immediately. No workaround is documented; updating is the only reliable fix [1].