CVE-2026-2352

Name of the Vulnerable Software and Affected Versions Autoptimize versions prior to 3.1.15

Description The Autoptimize plugin for WordPress is susceptible to Stored Cross-Site Scripting through the ao post preload meta value. This is a result of inadequate input sanitization within the ao metabox save() function and a lack of output escaping when the value is rendered into a <link> tag in autoptimizeImages.php. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses an injected page, provided the "Image optimization" or "Lazy-load images" setting is enabled in the plugin configuration.

Recommendations Update Autoptimize to version 3.1.15 or later.