CVE-2026-2430 in Autoptimize Plugin
Summary
by MITRE • 03/21/2026
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The Autoptimize WordPress plugin suffers from a critical stored cross-site scripting vulnerability identified as CVE-2026-2430 affecting versions through 3.1.14. This vulnerability resides in the lazy-loading image processing functionality and represents a significant security risk for WordPress installations. The flaw manifests through an overly permissive regular expression implementation within the add_lazyload function that indiscriminately replaces all instances of whitespace followed by src= pattern in image tags. This regex pattern matching approach fails to properly validate or sanitize the HTML structure, creating a pathway for malicious code injection that can persist across multiple user sessions.
The technical exploitation of this vulnerability requires an authenticated attacker with at least Contributor-level privileges, which represents a concerning privilege escalation vector since many WordPress sites have users with these permissions. Attackers can craft malicious image tags where the src URL contains a space followed by src= which causes the vulnerable regex to incorrectly parse the HTML structure. This specific regex behavior breaks the normal HTML attribute parsing process, allowing text that should remain within attribute values to be interpreted as executable HTML attributes. The vulnerability directly maps to CWE-79 which defines cross-site scripting flaws as weaknesses that occur when an application fails to properly sanitize user input before including it in output that is sent to another user.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to victim users through the stored nature of the XSS payload. When compromised pages are accessed, the injected scripts execute in the context of the victim's browser session, potentially enabling session hijacking, credential theft, or further exploitation of the compromised user's privileges. The vulnerability affects all versions up to and including 3.1.14, indicating a prolonged period during which this flaw remained undetected and exploitable. The attack vector specifically targets the lazy-loading feature which is commonly enabled on WordPress sites, making the vulnerability particularly widespread and dangerous.
Mitigation strategies should prioritize immediate plugin updates to versions that address this regex parsing issue and implement proper HTML attribute sanitization. Organizations should also consider implementing content security policies to limit script execution and monitor for suspicious user activity. The vulnerability demonstrates the importance of proper input validation and the dangers of overly permissive regular expressions in web applications, aligning with ATT&CK technique T1566 which covers social engineering through malicious content injection. Security teams should also review their WordPress plugin management processes to ensure rapid response to security advisories and maintain updated security monitoring systems to detect potential exploitation attempts.