The SR WP Minify HTML plugin for WordPress contains a Cross‑Site Request Forgery flaw due to missing nonce validation in the sr_minify_html_theme() function. An unauthenticated attacker can forge a request that an administrator accepts, resulting in direct modification of the plugin’s settings. This could alter the website’s presentation or enable unintended features, and may be leveraged to facilitate further attacks if the plugin exposes additional configuration options.

The vulnerability affects the superrishi SR WP Minify HTML plugin versions up to and including 2.1 on all WordPress sites that have the plugin installed. Any site that has a version of this plugin below 2.2 is at risk. Administrators who have not upgraded after the public release of version 2.1 remain exposed.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an administrator to be tricked into clicking a crafted link or submitting a forged form, which is common in many CSRF scenarios. Because the attacker does not need elevated privileges and only needs to target an admin’s authenticated session, the risk to an organization depends on the presence of the vulnerable plugin and the diligence of its administrators. While the impact is limited to configuration changes, if those changes are used to further compromise the site it can have cascading effects.