VYPR

Autoptimize

by WordPress

Source repositories

CVEs (12)

  • CVE-2021-24376CriJun 21, 2021
    risk 0.64cvss 9.8epss 0.04

    The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a…

  • CVE-2026-3220HigMay 18, 2026
    risk 0.57cvss 8.8epss 0.00

    The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML…

  • CVE-2021-24377HigJun 21, 2021
    risk 0.53cvss 8.1epss 0.01

    The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the…

  • CVE-2020-24948HigSep 3, 2020
    risk 0.48cvss 7.2epss 0.13

    The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.

  • CVE-2026-2430MedMar 21, 2026
    risk 0.35cvss 6.4epss 0.00

    The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces…

  • CVE-2026-2352MedMar 21, 2026
    risk 0.35cvss 6.4epss 0.00

    The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping…

  • CVE-2025-13401MedDec 3, 2025
    risk 0.35cvss 6.4epss 0.00

    The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the…

  • CVE-2022-4057MedJan 2, 2023
    risk 0.35cvss 5.3epss 0.01

    The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.

  • CVE-2023-2113MedMay 30, 2023
    risk 0.31cvss 4.8epss 0.00

    The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is…

  • CVE-2022-2635MedSep 16, 2022
    risk 0.31cvss 4.8epss 0.01

    The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2021-24378MedJun 21, 2021
    risk 0.31cvss 4.8epss 0.01

    The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive…

  • CVE-2021-24332MedMay 24, 2021
    risk 0.31cvss 4.8epss 0.01

    The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues