Autoptimize ikon

Autoptimize

4.7/5
900 000+ installationer

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

25
Kända sårbarheter
3
Kritiska / höga
2025-12-03
Senaste sårbarhet
900 000+
Aktiva installationer

Om Autoptimize

Vad är Autoptimize?

Autoptimize är ett populärt WordPress-tillägg som optimerar webbplatsers prestanda genom att komprimera JavaScript, CSS och HTML-kod, samt erbjuder funktioner som lazy-loading av bilder och optimering av Google Fonts. Med över 900 000 aktiva installationer är det ett av de mest använda prestandatilläggen.

Säkerhetsläget

Tillägget har totalt 24 dokumenterade sårbarheter: 1 critical, 2 high och 21 medium. Den senaste kända sårbarheten upptäcktes så sent som december 2025, vilket visar att säkerhetsövervakning fortfarande är aktuell.

Den kritiska sårbarheten är naturligtvis mest allvarlig och kan potentiellt ge angripare full kontroll över webbplatsen. De "high"-klassade sårbarheterna kan möjliggöra dataläckage eller obehörig åtkomst, medan "medium"-sårbarheterna oftast kräver specifika omständigheter för att utnyttjas.

Våra rekommendationer

Trots säkerhetshistoriken kan Autoptimize användas säkert med rätt förhållningssätt:

  • Håll alltid tillägget uppdaterat till senaste versionen
  • Övervaka säkerhetsuppdateringar aktivt
  • Använd en Web Application Firewall (WAF) som extra skydd
  • Genomför regelbundna säkerhetskopior

Regelbundna uppdateringar är ditt bästa skydd mot kända sårbarheter och säkerställer att du får tillgång till de senaste säkerhetsförbättringarna.

Använder du Autoptimize?

Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.

Testa din hemsida

Alla kända sårbarheter

Medel CVE-2025-13401

CVE-2025-13401: The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitiz...

Påverkade versioner: all

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attr...

Medel CVE-2025-13401

Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Påverkade versioner: <= 3.1.13

Medel CVE-2023-2113

CVE-2023-2113: The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrar...

Påverkade versioner: < 3.1.7

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfi...

Medel CVE-2023-1472

CVE-2023-1472: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: < 1.7.2

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unau...

Medel CVE-2023-1346

CVE-2023-1346: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_page_cache function. This makes it poss...

Medel CVE-2023-1345

CVE-2023-1345: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the queue_posts function. This makes it possible...

Medel CVE-2023-1344

CVE-2023-1344: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the uucss_update_rule function. This makes it pos...

Medel CVE-2023-1338

CVE-2023-1338: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the attach_rule function in versions up to, and inc...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the attach_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticat...

Medel CVE-2023-1343

CVE-2023-1343: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the attach_rule function. This makes it possible...

Medel CVE-2023-1342

CVE-2023-1342: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ucss_connect function. This makes it possible...

Medel CVE-2023-1341

CVE-2023-1341: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ajax_deactivate function. This makes it possi...

Medel CVE-2023-1340

CVE-2023-1340: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_uucss_logs function. This makes it poss...

Medel CVE-2023-1339

CVE-2023-1339: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the uucss_update_rule function in versions up to, and ...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the uucss_update_rule function in versions up to, and including, 1.7.1. This makes it possible for authenti...

Medel CVE-2023-1337

CVE-2023-1337: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and includi...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated a...

Medel CVE-2023-1336

CVE-2023-1336: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and in...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and including, 1.7.1. This makes it possible for authentica...

Medel CVE-2023-1335

CVE-2023-1335: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, an...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authen...

Medel CVE-2023-1334

CVE-2023-1334: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and inc...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and including, 1.7.1. This makes it possible for authenticat...

Medel CVE-2023-1333

CVE-2023-1333: The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and incl...

Påverkade versioner: <= 1.7.1

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticate...

Medel CVE-2022-4057

CVE-2022-4057: The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.

Påverkade versioner: < 3.1.0

The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.

Medel CVE-2022-2635

CVE-2022-2635: The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks ...

Påverkade versioner: < 3.1.1

The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowe...

Medel CVE-2021-24378

CVE-2021-24378: The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high priv...

Påverkade versioner: < 2.7.8

The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing Java...

Hög CVE-2021-24377

CVE-2021-24377: The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to p...

Påverkade versioner: < 2.7.8

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieve...

Kritisk CVE-2021-24376

CVE-2021-24376: The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extra...

Påverkade versioner: < 2.7.8

The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to up...

Medel CVE-2021-24332

CVE-2021-24332: The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cros...

Påverkade versioner: < 2.8.4

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues

Hög CVE-2020-24948

CVE-2020-24948: The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as ...

Påverkade versioner: < 2.7.7

The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.

Så skyddar du din sajt

Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.

Håll tillägget uppdaterat

De flesta sårbarheter i Autoptimize åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.

Ta bort oanvända tillägg

Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.

Bevaka automatiskt

Med löpande övervakning upptäcker du problem innan de blir allvarliga.

Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.

Vanliga frågor om Autoptimize

Autoptimize har 25 kända sårbarheter, varav 3 med hög eller kritisk allvarlighetsgrad. Det betyder inte nödvändigtvis att tillägget är osäkert — de flesta sårbarheter åtgärdas i nya versioner. Det viktigaste är att alltid köra den senaste versionen.
Det enklaste sättet är att köra ett gratis test av din hemsida på sitesupport.co. Testet kontrollerar vilka tillägg du använder och vilka versioner som är installerade, och jämför det mot kända sårbarheter.
Uppdatera till den senaste versionen så snart som möjligt. Om det inte finns en uppdatering som åtgärdar problemet bör du överväga att tillfälligt inaktivera tillägget, särskilt om sårbarheten har kritisk eller hög allvarlighetsgrad.
Autoptimize har över 900 000 aktiva installationer på WordPress.org och ett betyg på 4.7 av 5. Populära tillägg har generellt bättre säkerhetsrutiner tack vare större community och fler ögon på koden.

Hur mår din hemsida?

Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.

Testa gratis

Inget konto krävs