CVE-2025-13401 in Autoptimize Plugin
Summary
by MITRE • 12/03/2025
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/03/2025
The Autoptimize plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-13401 affecting versions through 3.1.13. This vulnerability resides within the LCP Image to preload metabox functionality where user-supplied image attributes are inadequately sanitized and escaped during processing. The flaw specifically manifests in the create_img_preload_tag function which fails to properly validate or escape input parameters before rendering them in HTML output contexts. Attackers with contributor-level privileges or higher can exploit this weakness to inject malicious scripts that persist in the plugin's metadata storage, making the vulnerability particularly dangerous as it allows for long-term persistence within the affected WordPress installation.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation. The insufficient input sanitization combined with inadequate output escaping creates a perfect storm for XSS attacks where attacker-controlled data flows directly into HTML contexts without proper sanitization. The vulnerability is classified as stored XSS because the malicious payloads are saved within the WordPress database and executed whenever affected pages are rendered, rather than requiring a separate attack vector for each victim. This particular weakness affects the plugin's ability to handle image preloading functionality through the LCP (Largest Contentful Paint) optimization feature, which is commonly used to improve page performance by preloading critical images.
The operational impact of CVE-2025-13401 extends beyond simple script execution as it provides attackers with a persistent foothold within WordPress installations. Since the vulnerability requires only contributor-level access, it represents a significant risk for sites with less restrictive user management policies. The stored nature of the vulnerability means that once exploited, malicious scripts will execute for any user who accesses pages containing the injected content, potentially leading to session hijacking, data exfiltration, or further compromise of the WordPress environment. This attack vector can be particularly devastating in multi-user environments where contributors may have access to sensitive content or administrative features.
Mitigation strategies for CVE-2025-13401 should prioritize immediate plugin updates to versions that address the identified XSS vulnerability. Organizations should implement strict input validation and output escaping mechanisms within their WordPress installations, particularly for any user-supplied content that gets rendered in HTML contexts. The principle of least privilege should be enforced by limiting contributor-level access to only necessary functions and monitoring user activities for suspicious behavior. Additionally, implementing content security policies and regular security audits of WordPress plugins can help prevent similar vulnerabilities from being exploited. This vulnerability demonstrates the importance of proper input validation and output escaping as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1566.001 for credential access through malicious content injection, making it a critical concern for WordPress security posture management.