Description
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-03-31
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthenticated modification of plugin settings
Action: Patch Immediately
AI Analysis

Impact

The Minify HTML plugin for WordPress, in all releases up to version 2.1.12, has a missing or incorrect nonce check in the minify_html_menu_options function. This flaw enables a forged request that an administrator may unknowingly submit, thereby changing the plugin’s configuration. The flaw is a classic Cross‑Site Request Forgery (CWE‑352) that results in unauthorized configuration changes, potentially affecting site performance or exposing the site to further attacks.

Affected Systems

Any WordPress installation that uses the Minify HTML plugin with a version less than or equal to 2.1.12 is affected. No other vendors or products are listed, and the vulnerable version range stops at 2.1.12, with no additional sub‑versions specified.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. Exploitation requires a social‑engineering vector: an attacker must entice a logged‑in administrator to load a crafted URL that triggers the vulnerable function. The EPSS score is not provided, and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. Therefore, while the likelihood of a broad, automated attack appears low, the risk to any site with vulnerable plugin remains moderate due to reliance on administrator action.

Generated by OpenCVE AI on March 31, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Minify HTML plugin to the latest available version that addresses the nonce validation issue. If an immediate upgrade is not possible, consider removing or disabling the plugin entirely to prevent configuration changes.

Generated by OpenCVE AI on March 31, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Teckel
Teckel minify Html
Wordpress
Wordpress wordpress
Vendors & Products Teckel
Teckel minify Html
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Teckel Minify Html
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-31T11:18:56.726Z

Reserved: 2026-02-25T09:05:41.076Z

Link: CVE-2026-3191

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:31.200

Modified: 2026-03-31T12:16:31.200

Link: CVE-2026-3191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:51Z

Weaknesses