Stored Cross-Site Scripting in Autoptimize Plugin for WordPress
CVE-2025-13401

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Autoptimize
Vendor: CVE Published:; 3 December 2025

What is CVE-2025-13401?

The Autoptimize plugin for WordPress suffers from a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This vulnerability exists in the 'create_img_preload_tag' function, affecting all versions up to and including 3.1.13. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages. Once injected, these scripts execute in the browsers of users who access those compromised pages, potentially leading to data theft, session hijacking, or further exploitation.

Affected Version(s)

Autoptimize * <= 3.1.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3401333/auto...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 19, 2025

Credit

Muhammad Yudha - DJ

JSON