CVE-2026-2352 is a stored cross-site scripting vulnerability identified in the Autoptimize plugin for WordPress, a widely used tool for optimizing website performance through image optimization and lazy loading. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79). Specifically, the 'ao_post_preload' meta value is not properly sanitized in the ao_metabox_save() function, and output escaping is missing when this value is rendered inside a <link> tag within autoptimizeImages.php. This flaw allows an attacker with authenticated Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the injected script is stored and executed whenever any user accesses the affected page, it can lead to persistent XSS attacks. The attack vector requires no user interaction but does require authentication with limited privileges, which is common in multi-user WordPress environments. The vulnerability affects all versions of Autoptimize up to and including 3.1.14. The CVSS v3.1 score is 6.4, reflecting a medium severity level with network attack vector, low attack complexity, and privileges required but no user interaction. The scope is changed (S:C) because the vulnerability can affect other components or users beyond the attacker’s privileges. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the presence of this vulnerability in a popular plugin makes it a significant risk for WordPress sites employing Autoptimize with image optimization or lazy-load features enabled.

The vulnerability allows attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users visiting those pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. Since the vulnerability affects a widely used plugin, many WordPress sites globally could be at risk, especially those with multiple contributors or editors. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Although availability is not impacted, the confidentiality and integrity risks are significant, particularly for sites handling sensitive user data or providing critical services. The requirement for authenticated access limits exploitation to environments where attackers have at least contributor privileges, but such access is often attainable through credential theft or social engineering. The scope change indicates that the vulnerability can affect users beyond the attacker’s privileges, increasing its potential impact.

1. Upgrade the Autoptimize plugin to a version beyond 3.1.14 once a patch is released addressing CVE-2026-2352. Monitor official plugin repositories and security advisories for updates. 2. In the interim, disable the 'Image optimization' and 'Lazy-load images' features in Autoptimize to prevent the vulnerable code path from executing. 3. Restrict Contributor-level and higher privileges to trusted users only, and review user roles to minimize unnecessary elevated access. 4. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the 'ao_post_preload' meta value or related parameters. 5. Conduct regular security audits and scanning of WordPress sites to detect injected scripts or anomalous meta values. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 7. Educate site administrators and contributors on phishing and credential security to reduce the risk of privilege escalation. 8. Monitor site logs for unusual activity indicative of exploitation attempts. 9. Consider isolating or sandboxing user-generated content to reduce the impact of XSS vulnerabilities. 10. Backup site data regularly to enable recovery in case of compromise.