Volerion logoVolerion
Volerion logoVolerion

Autoptimize, Clearfy Cache, and Speed Optimizer WordPress Plugins Unauthenticated Stored Cross-Site Scripting Vulnerability

Vulnerability

A vulnerability allowing unauthenticated stored cross-site scripting (XSS) has been identified in the Autoptimize WordPress plugin (prior to 3.1.15), Clearfy Cache WordPress plugin (prior to 2.4.2), and Speed Optimizer WordPress plugin (prior to 7.7.9). This vulnerability arises from a predictable replacement hash used during the HTML minification process, which is exploited by manipulating a regular expression. As a result, an attacker can inject arbitrary HTML attributes into the final output by anticipating the placeholder format.

Impact

Exploitation of this vulnerability allows for unauthenticated stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Remediation

Users of the affected plugins should update to Autoptimize version 3.1.15, Clearfy Cache version 2.4.2, or Speed Optimizer version 7.7.9.

Added: May 25, 2026, 12:13 PM
Updated: May 25, 2026, 12:13 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
1.7
exploitability
7.9
remediation
7.7
relevance
8.7
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.