PLUGIN SECURITY
Is Autoptimize safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Autoptimize WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
autoptimize - Requires PHP: 7.1+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24378, WordPress Autoptimize plugin <= 2.7.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload, Autoptimize <= 2.7.7 - Unsafe File Upload to Cross-Site Scripting]
- Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24376, WordPress Autoptimize plugin <= 2.7.7 - Arbitrary File Upload via "Import Settings" vulnerability, Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings", Autoptimize <= 2.7.7 - Arbitrary File Upload (and Remote Code Execution) via Import Settings]
- Autoptimize [autoptimize] < 2.7.8 [CVE-2021-24377, WordPress Autoptimize plugin <= 2.7.7 - Race Condition leading to Remote Code Execution (RCE) vulnerability, Autoptimize < 2.7.8 - Race Condition leading to RCE, Autoptimize <= 2.7.7 - Race Condition leading to Remote Code Execution]
- Autoptimize [autoptimize] < 2.8.4 [CVE-2021-24332, Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS), Autoptimize <= 2.8.3 - Stored Cross-Site Scripting]
- Autoptimize [autoptimize] < 2.7.7 [CVE-2020-24948, WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability, Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload, Autoptimize <= 2.7.6 - Authenticated Arbitrary File Upload]
+ 11 more known vulnerabilities
- Autoptimize [autoptimize] < 2.8.4 [WordPress Autoptimize plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- Autoptimize [autoptimize] < 3.1.1 [CVE-2022-2635, WordPress Autoptimize Plugin <= 3.1.0 - Authenticated Stored Cross-Site Scripting vulnerability, Autoptimize <= 3.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Settings, Autoptimize < 3.1.1 - Admin+ Stored Cross Site Scripting]
- Autoptimize [autoptimize] < 3.1.0 [WordPress Autoptimize Plugin <= 3.0.4 is vulnerable to Sensitive Data Exposure]
- Autoptimize [autoptimize] < 3.1.0 [CVE-2022-4057, Autoptimize <= 3.0.4 - Sensitive Information Disclosure, Autoptimize < 3.1.0 - Sensitive Data Disclosure]
- Autoptimize [autoptimize] < 2.1.1 [Autoptimize <= 2.1.0 - Unauthenticated Local File Inclusion]
- Autoptimize [autoptimize] < 3.1.7 [WordPress Autoptimize Plugin <= 3.1.6 is vulnerable to Cross Site Scripting (XSS)]
- Autoptimize [autoptimize] < 3.1.7 [CVE-2023-2113, Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules, Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import]
- Autoptimize [autoptimize] < 3.1.14 [CVE-2025-13401, Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Autoptimize [autoptimize] < 3.1.15 [CVE-2026-2352, Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value]
- Autoptimize [autoptimize] < 3.1.15 [CVE-2026-2430, Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes]
- Autoptimize [autoptimize] < 3.1.15 [CVE-2026-3220, WordPress Autoptimize Plugin < 3.1.15 is vulnerable to Cross Site Scripting (XSS)]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- WP Fastest Cache – WordPress Cache Plugin — 1000000+ active installs — max PHP 8.4
- WebP Express — 300000+ active installs — max PHP 8.4
- Responsive Lightbox & Gallery — 100000+ active installs — max PHP 8.4
- Modern Image Formats — 100000+ active installs
- Lightbox & Modal Popup WordPress Plugin – FooBox — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.