CVE-2026-3220 PUBLISHED

Multiple Plugins - Unauthenticated Stored XSS via Minify Library

Assigner: WPScan
Reserved: 25.02.2026 Published: 18.05.2026 Updated: 18.05.2026

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

Product Status

Vendor	Unknown
Product	Autoptimize
Versions	Default: unaffected affected from 0 to 3.1.15 (excl.)

Vendor	Unknown
Product	Clearfy Cache
Versions	Default: unaffected affected from 0 to 2.4.2 (excl.)

Vendor	Unknown
Product	Speed Optimizer
Versions	Default: unaffected affected from 0 to 7.7.9 (excl.)

Credits

Matthew Rollings finder
WPScan coordinator

References

https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE