CVE-2026-3220

Multiple Plugins - Unauthenticated Stored XSS via Minify Library

CVSS 8.8 HIGHEPSS 0.3%CWE-79

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Unknown · Autoptimize Unknown · Clearfy Cache Unknown · Speed Optimizer

public PoCs found — 1

cve_referencewpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/