Autoptimize WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Autoptimize plugin for WordPress, affecting all versions up to and including 3.1.14. The issue arises from an overly permissive regular expression in the 'add_lazyload' function, which improperly handles 'src' and 'srcset' attributes in image tags. This flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts into pages, exploiting the lazy-loading image feature. The injected scripts are executed when a user views the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can create a post or page and insert an image tag. The 'src' URL of the image must include a space followed by 'src=', which will trick the regular expression into misinterpreting the HTML structure. Once the image is saved and the page is viewed, the injected script will execute.

Remediation

Users are advised to update the Autoptimize plugin to version 3.1.15 or later, where this vulnerability has been patched.