CVE-2026-3220

Published: May 18, 2026

Modified: May 18, 2026

PUBLISHED

Description

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

Vendor	Product	Versions
Unknown	Autoptimize	affected `0 - < 3.1.15`
Unknown	Clearfy Cache	affected `0 - < 2.4.2`
Unknown	Speed Optimizer	affected `0 - < 7.7.9`

References

https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/

exploit

vdb-entry

technical-description

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3220

Description

Affected Products

References