CVE-2026-2430

Name of the Vulnerable Software and Affected Versions Autoptimize versions up to and including 3.1.14

Description The Autoptimize plugin for WordPress is susceptible to Stored Cross-Site Scripting through the lazy-loading image processing. This is caused by an overly permissive regular expression in the add lazyload function. The regular expression replaces all instances of ssrc= in image tags without restriction to the actual attribute. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. Attackers can achieve this by creating an image tag where the src URL contains a space followed by src=, which breaks the HTML structure and promotes text inside attribute values into executable HTML attributes.

Recommendations Update Autoptimize to a version later than 3.1.14.