Connect with us


WordPress Autoptimize Plugin Vulnerability Affects +1 Million Sites



WordPress Autoptimize Plugin Vulnerability Affects +1 Million Sites

WordPress optimization plugin Autoptimize recently updated to fix a Stored XSS vulnerability. Publishers who use the plugin are advised to update immediately to reduce the possibility of an exposure to a hacking event.

Stored XSS Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability is when the software has a flaw that allows a hacker to upload a malicious file that can then attack someone else who visits the site.

There are different kinds of stored XSS vulnerabilities and it isn’t clear which kind this is.

However, depending on where the malicious file is uploaded, this type of vulnerability can be especially problematic when someone with admin level privileges visits the site and receives the payload, which can lead to a total site takeover.

According to the United States government National Institute of Standards and Technology, a U.S. Commerce Department website, the following is how a cross site scripting exploit is defined:

“A vulnerability that allows attackers to inject malicious code into an otherwise benign website.

These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client.

Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable. “

This is called a “stored” XSS vulnerability because the malicious file is stored on the website itself. Of the different kinds of XSS


Vulnerability Rating

Vulnerabilities are rated using an open source standard called Common Vulnerability Scoring System (CVSS). A vulnerability score is commonly referred to using CVSS version 3.1.

This is how the vulnerability standard is described:

“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. “

The vulnerability affecting Autoptimize is called an Authenticated Stored XSS vulnerability which means that a hacker must be logged in to the site in order to take advantage of the flaw.

That may be a contributing reason for why the severity level of the Autoptimize WordPress Plugin vulnerability has been rated as medium, with a score of 5.4 on a scale of 1 to 10.

Autoptimize Changelog

A changelog is a log of all the changes that a software makes with every update. It typically states a version, sometimes the date of the version and the changes contained within the update.

According to the official Autoptimize Changelog, the latest version is 2.8.4 which fixes the vulnerability.

fix for an authenticated XSS vulnerability”

While this is a vulnerability that’s rated as medium, it’s still recommended that all publishers who use this plugin update it immediately in order to stay safe.


Documentation of Autoptimize Vulnerability at Patchstack Security Site


Official Autoptimize Changelog


Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster



Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”



Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.



Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.


But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.


One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.


Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Continue Reading

Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address