Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total9
Critical1
High1
Medium7
Reset
Showing 1-9 of 9 records
Threat Entry Updated 2026-03-23

CVE-2026-2430 - Autoptimize Plugin

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where…

PLUGIN Autoptimize

CVE-2026-2430

MEDIUM CVSS 6.4 2026-03-21
Open Full Technical Breakdown
Threat Entry Updated 2026-03-23

CVE-2026-2352 - Autoptimize Plugin

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when the value is rendered into a `` tag in `autoptimizeImages.php`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted the "Image optimization" or "Lazy-load images" setting is enabled in…

PLUGIN Autoptimize

CVE-2026-2352

MEDIUM CVSS 6.4 2026-03-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-04

CVE-2025-13401 - Autoptimize Plugin

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Autoptimize

CVE-2025-13401

MEDIUM CVSS 6.4 2025-12-03
Open Full Technical Breakdown
Threat Entry Updated 2025-01-10

CVE-2023-2113 - Autoptimize Plugin

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.

PLUGIN Autoptimize

CVE-2023-2113

MEDIUM CVSS 4.8 2023-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2635 - Autoptimize Plugin

The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Autoptimize

CVE-2022-2635

MEDIUM CVSS 4.8 2022-09-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24376 - Autoptimize Plugin

The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.

PLUGIN Autoptimize

CVE-2021-24376

CRITICAL CVSS 9.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24377 - Autoptimize Plugin

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

PLUGIN Autoptimize

CVE-2021-24377

HIGH CVSS 8.1 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24378 - Autoptimize Plugin

The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.

PLUGIN Autoptimize

CVE-2021-24378

MEDIUM CVSS 4.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24332 - Autoptimize Plugin

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues

PLUGIN Autoptimize

CVE-2021-24332

MEDIUM CVSS 4.8 2021-05-24
Open Full Technical Breakdown
Scroll to top