Autoptimize WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Autoptimize plugin for WordPress, affecting all versions up to and including 3.1.14. The issue arises from inadequate input sanitization in the 'ao_metabox_save()' function, coupled with a lack of output escaping when the 'ao_post_preload' meta value is rendered into a '<link>' tag within 'autoptimizeImages.php'. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which are executed when a user accesses the affected page. The vulnerability is contingent upon the 'Image optimization' or 'Lazy-load images' settings being enabled in the plugin's configuration.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject a script into the 'ao_post_preload' meta value. This can be done by accessing the post or page editor, adding a script into the designated meta field, and saving the changes. Once the page is viewed, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update the Autoptimize plugin to version 3.1.15 or later, where this vulnerability has been addressed.