Multiple Plugins – Unauthenticated Stored XSS via Minify Library | CVE 2026-3220

Description

The plugins are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

Proof of Concept

The PoC will be displayed on June 24, 2026, to give users the time to update.

Affects Plugins

autoptimize

Fixed in 3.1.15

clearfy

Fixed in 2.4.2

sg-cachepress

Fixed in 7.7.9

References

CVE

CVE-2026-3220

URL

https://sec.stealthcopter.com/regexss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.8 (high)

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

stealthcopter

Verified

Yes

WPVDB ID

3ceabf11-23cd-4c38-ba14-014348b0ff2d

Timeline

Publicly Published

2026-04-27 (about 16 days ago)

Added

2026-04-27 (about 16 days ago)

Last Updated

2026-05-08 (about 4 days ago)

Other

Published

Title

Published

2024-09-25

Title

GF Custom Style <= 2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2014-08-01

Title

Catablog < 1.6.3 - Cross Site Scripting

Published

2024-03-25

Title

VK All in One Expansion Unit < 9.97.0.0 - Contributor+ Stored XSS

Published

2023-02-06

Title

CC Custom Taxonomy <= 1.0.1 - Admin+ Stored XSS

Published

2024-11-25

Title

Elementor Website Builder < 3.25.8 - Contributor+ Stored XSS