Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
The Minify HTML WordPress plugin (versions up to 2.1.12) contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'minify_html_menu_options' function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if a site administrator is tricked into clicking a malicious link. The attack requires user interaction (UI:R) but can degrade site availability or integrity by altering minification behavior. No public exploit code or active exploitation has been confirmed, though the vulnerability is tracked by CISA-recognized security researchers.
Technical ContextAI
The Minify HTML plugin (CPE: cpe:2.3:a:teckel:minify_html:*:*:*:*:*:*:*:*) implements WordPress admin settings via the 'minify_html_menu_options' function without proper nonce (number used once) token validation. WordPress nonces are cryptographic tokens that prevent CSRF by ensuring state-changing requests originate from legitimate in-browser forms on the site. CWE-352 (Cross-Site Request Forgery) occurs when this validation is absent or bypassed. An attacker crafts a forged HTML form or link that, when clicked by an authenticated administrator, sends a request to modify plugin settings without the administrator's knowledge, since the browser automatically includes session cookies in cross-origin requests.
RemediationAI
Update the Minify HTML plugin to the patched version released after 2.1.12 as documented in the upstream fix commit 3486011 at plugins.trac.wordpress.org/changeset/3486011/minify-html-markup. Site administrators should immediately check for available updates in their WordPress admin dashboard and apply them. If an update is not yet available, temporarily deactivate the plugin until a patched version is released, or restrict admin dashboard access to trusted users only via .htaccess or equivalent firewall rules. Consult the Wordfence vulnerability intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/fe14b92b-1784-4083-9b9f-23d7f69a3215 for additional mitigation guidance.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17367