CVE-2025-13401 is a stored cross-site scripting vulnerability identified in the Autoptimize plugin for WordPress, a widely used tool for optimizing website performance. The vulnerability arises from improper neutralization of input during web page generation, specifically in the "create_img_preload_tag" function that handles the LCP (Largest Contentful Paint) Image to preload metabox. This function fails to adequately sanitize and escape user-supplied image attributes, allowing an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires authentication but no user interaction, and the attack surface includes any WordPress site running Autoptimize versions up to and including 3.1.13. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the plugin's popularity and the ease of exploitation by low-privileged users. The flaw underscores the importance of proper input validation and output encoding in web applications, especially in plugins that handle user-generated content or attributes.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress websites, potentially resulting in session hijacking, data theft, defacement, or the spread of malware to site visitors. Given the widespread use of WordPress and Autoptimize in Europe, especially among SMEs and content-heavy websites, exploitation could damage brand reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and disrupt business operations. Attackers could leverage this vulnerability to escalate privileges or pivot to other internal systems if administrative credentials are compromised. The requirement for contributor-level access means insider threats or compromised accounts pose a significant risk. The stored nature of the XSS increases the attack's persistence and reach, affecting all users who visit the infected pages. This could also impact e-commerce platforms, government portals, and media outlets relying on WordPress, amplifying the potential damage.

European organizations should immediately audit and restrict contributor-level access on WordPress sites using Autoptimize to trusted users only. Apply the latest plugin updates once available; if no patch exists yet, consider temporarily disabling the LCP Image preload feature or the Autoptimize plugin entirely. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections targeting image attributes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scan websites for injected scripts or anomalies in image tags. Educate site administrators on the risks of granting contributor access and enforce strong authentication mechanisms, including multi-factor authentication. Monitor logs for unusual activity related to image attribute modifications. Finally, consider using security plugins that detect and prevent XSS attacks and maintain regular backups to enable quick recovery if compromise occurs.