[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3eGztI4ZPpKY65uMwpLiZg6YjT5JjO35PtSE_6LyS0o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-2430","autoptimize-authenticated-contributor-stored-cross-site-scripting-via-lazy-loaded-image-attributes","Autoptimize \u003C= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes","The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.","autoptimize",null,"\u003C=3.1.14","3.1.15","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-20 23:25:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fddc5c4d7-09dc-45bf-a3c7-5a0757e3110a?source=api-prod",1,[22,23,24,25,26,27,28,29],"autoptimize.php","classes\u002FautoptimizeExtra.php","classes\u002FautoptimizeImages.php","classes\u002FautoptimizeMetabox.php","classes\u002Fexternal\u002Fphp\u002Fao-minify-html.php","classes\u002Fstatic\u002Fexit-survey\u002Fexit-survey.css","classes\u002Fstatic\u002Fexit-survey\u002Fexit-survey.js","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-2430\n\n## 1. Vulnerability Summary\nThe **Autoptimize** plugin (\u003C= 3.1.14) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability resides in the `autoptimizeImages::add_lazyload` (or equivalent image processing) logic, where an overly permissive regular expression is used to identify and replace the `src` attribute of `\u003Cimg>` tags for lazy loading.\n\nThe plugin incorrectly identifies strings like ` src=` inside existing attribute values (e.g., within a URL query parameter) as the start of a new `src` attribute. When the plugin performs its replacement to inject a lazy-loading placeholder, it can inadvertently close the original attribute's quotes and \"promote\" the subsequent text into executable HTML attributes like `onerror`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (or any location where a Contributor+ can save HTML content).\n- **Vulnerable Component**: The lazy-loading image processor which runs on the frontend during page rendering.\n- **HTTP Parameter**: The `content` or `post_content` of a post.\n- **Authentication**: Required (Contributor-level or higher).\n- **Preconditions**: \n    - The **\"Lazy-load images?\"** option must be enabled in `Settings > Autoptimize > Images`.\n    - Alternatively, it can be enabled per-page via the Autoptimize Metabox (managed in `classes\u002FautoptimizeMetab","gemini-3-flash-preview","2026-04-18 01:46:25","2026-04-18 01:47:19",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.1.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoptimize\u002Ftags\u002F3.1.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautoptimize.3.1.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoptimize\u002Ftags\u002F3.1.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautoptimize.3.1.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoptimize\u002Ftags"]