WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Autoptimize safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Autoptimize WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: autoptimize
  • Requires PHP: 7.1+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24378, WordPress Autoptimize plugin <= 2.7.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, Autoptimize &lt; 2.7.8 - Authenticated Stored XSS via File Upload, Autoptimize <= 2.7.7 - Unsafe File Upload to Cross-Site Scripting]
  • Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24376, WordPress Autoptimize plugin <= 2.7.7 - Arbitrary File Upload via "Import Settings" vulnerability, Autoptimize &lt; 2.7.8 - Arbitrary File Upload via &quot;Import Settings&quot;, Autoptimize <= 2.7.7 - Arbitrary File Upload (and Remote Code Execution) via Import Settings]
  • Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24377, WordPress Autoptimize plugin <= 2.7.7 - Race Condition leading to Remote Code Execution (RCE) vulnerability, Autoptimize &lt; 2.7.8 - Race Condition leading to RCE, Autoptimize <= 2.7.7 - Race Condition leading to Remote Code Execution]
  • Autoptimize [autoptimize] < 2.8.4 [CVE-2021-24332, Autoptimize &lt; 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS), Autoptimize <= 2.8.3 - Stored Cross-Site Scripting]
  • Autoptimize [autoptimize] < 2.7.7 [CVE-2020-24948, WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability, Autoptimize &lt; 2.7.7 - Authenticated Arbitrary File Upload, Autoptimize <= 2.7.6 - Authenticated Arbitrary File Upload]
+ 11 more known vulnerabilities
  • Autoptimize [autoptimize] < 2.8.4 [WordPress Autoptimize plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
  • Autoptimize [autoptimize] < 3.1.1 [CVE-2022-2635, WordPress Autoptimize Plugin <= 3.1.0 - Authenticated Stored Cross-Site Scripting vulnerability, Autoptimize <= 3.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Settings, Autoptimize &lt; 3.1.1 - Admin+ Stored Cross Site Scripting]
  • Autoptimize [autoptimize] < 3.1.0 [WordPress Autoptimize Plugin <= 3.0.4 is vulnerable to Sensitive Data Exposure]
  • Autoptimize [autoptimize] < 3.1.0 [CVE-2022-4057, Autoptimize <= 3.0.4 - Sensitive Information Disclosure, Autoptimize &lt; 3.1.0 - Sensitive Data Disclosure]
  • Autoptimize [autoptimize] < 2.1.1 [Autoptimize <= 2.1.0 - Unauthenticated Local File Inclusion]
  • Autoptimize [autoptimize] < 3.1.7 [WordPress Autoptimize Plugin <= 3.1.6 is vulnerable to Cross Site Scripting (XSS)]
  • Autoptimize [autoptimize] < 3.1.7 [CVE-2023-2113, Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules, Autoptimize &lt; 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import]
  • Autoptimize [autoptimize] < 3.1.14 [CVE-2025-13401, Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting]
  • Autoptimize [autoptimize] < 3.1.15 [CVE-2026-2352, Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value]
  • Autoptimize [autoptimize] < 3.1.15 [CVE-2026-2430, Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes]
  • Autoptimize [autoptimize] < 3.1.15 [CVE-2026-3220, WordPress Autoptimize Plugin < 3.1.15 is vulnerable to Cross Site Scripting (XSS)]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.