WordPress Plugin Vulnerabilities

Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
autoptimize
Fixed in 2.8.4

References

CVE
CVE-2021-24332
URL
https://plugins.trac.wordpress.org/changeset/2525674/
URL
https://m0ze.ru/vulnerability/[2021-04-01]-[WordPress]-[CWE-79]-Autoptimize-WordPress-Plugin-v2.8.3.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
m0ze
Verified
Yes
WPVDB ID
6678e064-ce21-4bb2-8c50-061073fb22fb

Timeline

Publicly Published
2021-05-07 (about 4 years ago)
Added
2021-05-07 (about 4 years ago)
Last Updated
2021-05-18 (about 4 years ago)

Other

Published
Title
Published
2025-10-18
Title
WP Last Modified Info < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-26
Title
Beaver Builder < 2.8.3.4 - Reflected Cross-Site Scripting
Published
2024-05-20
Title
PDF.js < 4.2.67 - Arbitrary JavaScript Execution
Published
2025-04-10
Title
Credova_Financial < 2.4.9 - Reflected Cross-Site Scripting
Published
2024-05-07
Title
Move Addons for Elementor < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting