CVE-2026-3220 Multiple Plugins - Unauthenticated Stored XSS via Minify Library

🗓️ 18 May 2026 06:00:08Reported by WPScanType

Unauthenticated stored cross site scripting affects multiple WordPress plugins via a minify library, enabling HTML attribute injection.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-3220	18 May 202606:00	–	attackerkb
Circl	CVE-2026-3220	18 May 202608:42	–	circl
CNNVD	WordPress多款产品跨站脚本漏洞	18 May 202600:00	–	cnnvd
CVE	CVE-2026-3220	18 May 202606:00	–	cve
EUVD	EUVD-2026-30736	18 May 202606:00	–	euvd
NVD	CVE-2026-3220	18 May 202607:16	–	nvd
Patchstack	WordPress Autoptimize plugin < 3.1.15 - Unauthenticated Stored XSS via Minify Library vulnerability	11 Jun 202613:17	–	patchstack
Patchstack	WordPress Clearfy Cache plugin < 2.4.2 - Unauthenticated Stored XSS via Minify Library vulnerability	11 Jun 202613:17	–	patchstack
Patchstack	WordPress Speed Optimizer plugin < 7.7.9 - Unauthenticated Stored XSS via Minify Library vulnerability	11 Jun 202613:18	–	patchstack
Positive Technologies	PT-2026-41636	18 May 202600:00	–	ptsecurity

[
  {
    "vendor": "Unknown",
    "product": "Autoptimize",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "3.1.15"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "Clearfy Cache",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.4.2"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "Speed Optimizer",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "7.7.9"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/

18 May 2026 06:00Current

EPSS0.0032