CVE-2025-13401

MEDIUM

Autoptimize <= 3.1.13 - Authenticated Stored Cross-Site Scripting via LCP Image Preload Metabox

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-13401. PoCs published by ciscocamelo.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in Autoptimize <= 3.1.13, where insufficient sanitization of event handler attributes in image tags leads to arbitrary JavaScript execution when processed by the plugin.

Description

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

nomisec WORKING POC
by ciscocamelo · poc
https://github.com/ciscocamelo/CVE-2025-13401-XSS-Stored

This PoC demonstrates a stored XSS vulnerability in Autoptimize <= 3.1.13, where insufficient sanitization of event handler attributes in image tags leads to arbitrary JavaScript execution when processed by the plugin.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Autoptimize < 3.1.14
Auth required
Prerequisites: Authenticated user with Contributor role or higher · Autoptimize plugin version <= 3.1.13 · Image optimization or preloading enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.4
EPSS 0.0026
EPSS Percentile 17.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
optimizingmatters/Autoptimize < 3.1.13
Published Dec 03, 2025
Tracked Since Feb 18, 2026