HOMEVULNERABILITIESCVE-2026-3220
HIGH

CVE-2026-3220

Published: May 18, 2026· Updated: May 18, 2026

8.8
CVSS v3.1
EPSS:0.04%probability of exploitation in 30 daysPercentile:12.5th

Official Description

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

NVD Source

Technical Analysis

CVE-2026-3220 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
WordPress
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-3220

CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA Alerts· Apr 28, 2026

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remedia [xlite_meta score:51 src:CISA Alerts xlite_fp:d9166f806f86b419b3c300731bdf4ca62d857fa782f3cc31caa1d1a48bf6e0cf]

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
The Hacker News· Apr 28, 2026

Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this [xlite_meta score:59 src:The Hacker News xlite_fp:fecd5797cdaca729c38122aa309855906754b05a18123f69b7262802536dfd23]

CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA Alerts· Apr 14, 2026

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to re [xlite_meta score:51 src:CISA Alerts xlite_fp:60f141b8b931115be79842cab68a944a0df41fdc6817a20161381f8463e3a02d]

All References (1)

Quick Facts

CVE IDCVE-2026-3220
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.04%
PublishedMay 18, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-3220 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.