CVE-2025-13401

Name of the Vulnerable Software and Affected Versions Autoptimize versions prior to 3.1.14

Description The Autoptimize plugin for WordPress is susceptible to Stored Cross-Site Scripting through the LCP Image to preload metabox. This is due to inadequate input sanitization and output escaping of user-provided image attributes within the create img preload tag function. Authenticated attackers with contributor-level access or higher can inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page.

Recommendations Update Autoptimize to version 3.1.14 or later.