EUVD-2026-14191
GHSA-w4gr-x4qr-j3xw
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates a low-complexity attack vector accessible over the network with minimal privileges required, but it does require user interaction (UI:R) and results only in integrity compromise without confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious webpage or sends a phishing email containing a link that, when clicked by a WordPress administrator while logged into their site, automatically submits a forged request to modify the site's minification settings (such as disabling HTML minification or changing compression parameters). Because the plugin lacks nonce validation, the administrator's browser automatically includes their session cookie, allowing the forged request to execute with full administrative privileges. … |
| Remediation | WordPress site administrators should immediately update the SR WP Minify HTML plugin to a patched version beyond 2.1 if such a release is available, or disable the plugin entirely until a fix is released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems running for WordPress is vulnerable to Cross-Site Request Forgery in and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level ac
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes ev
Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
Share
External POC / Exploit Code
Leaving vuln.today