{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2430", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T21:12:58.849Z", "datePublished": "2026-03-20T23:25:14.410Z", "dateUpdated": "2026-04-08T17:28:09.590Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:09.590Z"}, "affected": [{"vendor": "optimizingmatters", "product": "Autoptimize", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes."}], "title": "Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc5c4d7-09dc-45bf-a3c7-5a0757e3110a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autoptimize/trunk/classes/autoptimizeImages.php#L987"}, {"url": "https://plugins.trac.wordpress.org/browser/autoptimize/tags/3.1.14/classes/autoptimizeImages.php#L987"}, {"url": "https://github.com/futtta/autoptimize/commit/a0f87112fe80b5a97b036229c41cb18454392858"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482530%40autoptimize&new=3482530%40autoptimize&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2026-02-12T21:28:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T18:26:25.579305Z", "id": "CVE-2026-2430", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:27:21.821Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2430", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T18:26:25.579305Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:27:11.711Z"}}], "cna": {"title": "Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "optimizingmatters", "product": "Autoptimize", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-12T21:28:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc5c4d7-09dc-45bf-a3c7-5a0757e3110a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autoptimize/trunk/classes/autoptimizeImages.php#L987"}, {"url": "https://plugins.trac.wordpress.org/browser/autoptimize/tags/3.1.14/classes/autoptimizeImages.php#L987"}, {"url": "https://github.com/futtta/autoptimize/commit/a0f87112fe80b5a97b036229c41cb18454392858"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482530%40autoptimize&new=3482530%40autoptimize&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:09.590Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2430", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:09.590Z", "dateReserved": "2026-02-12T21:12:58.849Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-20T23:25:14.410Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes."}, {"lang": "es", "value": "El plugin Autoptimize para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del procesamiento de im\u00e1genes de carga diferida en todas las versiones hasta la 3.1.14, inclusive. Esto se debe al uso de una expresi\u00f3n regular excesivamente permisiva en la funci\u00f3n `add_lazyload` que reemplaza todas las ocurrencias de `\\ssrc=` en las etiquetas de imagen sin limitarse al atributo real. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada al crear una etiqueta de imagen donde la URL `src` contiene un espacio seguido de `src=`, lo que hace que la expresi\u00f3n regular rompa la estructura HTML y promueva texto dentro de los valores de los atributos a atributos HTML ejecutables."}], "id": "CVE-2026-2430", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:26.053", "references": [{"source": "security@wordfence.com", "url": "https://github.com/futtta/autoptimize/commit/a0f87112fe80b5a97b036229c41cb18454392858"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autoptimize/tags/3.1.14/classes/autoptimizeImages.php#L987"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autoptimize/trunk/classes/autoptimizeImages.php#L987"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482530%40autoptimize&new=3482530%40autoptimize&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc5c4d7-09dc-45bf-a3c7-5a0757e3110a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.14]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Autoptimize", "source": "cna", "vendor": "optimizingmatters"}, "product": "autooptimize", "vendor": "optimizingmatters"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:24:06.843619+00:00", "value": {"mitigation_remediation": ["Update Autoptimize to version 3.1.15 or newer.", "Remove any existing images or content that may contain injected scripts, particularly those added by contributors.", "If possible, restrict Contributor or higher roles from adding media that could be used for XSS via lazy\u2011loading, or temporarily disable the lazy\u2011loading feature until a patch is applied."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via lazy\u2011load image attributes"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Autoptimize plugin version 3.1.14 or earlier, provided the site allows users with Contributor or higher roles to add or edit media or posts. The vendor is \"optimizingmatters:Autoptimize\"; any installation of the affected plugin will be susceptible if the relevant content can be injected by an authenticated contributor. Administrators who restrict contributor access or disable lazy\u2011load features may reduce exposure, but the fundamental flaw remains until a patch is applied.", "description_and_impact": "The Autoptimize WordPress plugin contains an overly permissive regular expression in its lazy\u2011loading image routine that indiscriminately replaces every occurrence of the string \" src=\" within image tags. When a user with Contributor access or higher crafts an image tag whose src URL contains a space followed by \"src=\", the regex corrupts the HTML structure, allowing arbitrary script content to be injected into authorisable pages. Once a victim visitor loads such a page, the injected script executes in their browser, enabling theft of session cookies, credential compromise, or other client\u2011side attacks. This is a classic stored cross\u2011site scripting vulnerability that affects only sites where the attacker can create or modify content, but can impact all users who view that content.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity. No EPSS score is available, and it is not listed in the CISA KEV catalog. Exploitation requires authenticated access with at least Contributor privileges, meaning the threat is limited to users who can add or edit content. Once such a user injects malicious code, the impact extends to all site visitors who access the compromised page. The attack vector is via crafted image URLs inserted into content, making the flaw relatively straightforward for an authorized user to use."}}}}, "created": "2026-03-23T09:51:34.087435+00:00", "updated": "2026-03-25T14:33:33.738171+00:00", "vendors": ["optimizingmatters", "optimizingmatters$PRODUCT$autooptimize", "wordpress", "wordpress$PRODUCT$wordpress"]}