PatchSiren

Autoptimize CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Autoptimize CVE published 2026-05-18

CVE-2026-3220

## Summary CVE-2026-3220 is a **HIGH severity (CVSS 8.8)** unauthenticated Stored Cross-Site Scripting (XSS) vulnerability affecting three WordPress optimization plugins: Autoptimize (before 3.1.15), Clearfy Cache (before 2.4.2), and Speed Optimizer (before 7.7.9). The flaw stems from a **predictable replacement hash** used during HTML minification, combined with a regular expression weakness, allowing at [truncated]