Plattform
wordpress
Komponente
minify-html-markup
Behoben in
2.1.13
CVE-2026-3191 describes a Cross-Site Request Forgery (XSRF) vulnerability present in the Minify HTML plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests, potentially impacting website performance and functionality. The vulnerability affects versions from 0.0.0 up to and including 2.1.12. A fix is available in version 2.1.13.
An attacker exploiting this XSRF vulnerability could leverage a forged request to modify the Minify HTML plugin's configuration. This could involve disabling minification, altering file exclusion rules, or changing other settings that impact website performance. While the plugin itself doesn't directly expose sensitive user data, modifications to its configuration could indirectly impact website speed and potentially create other vulnerabilities. The impact is amplified if the attacker can trick a site administrator into performing the malicious action, making it a persistent threat.
This vulnerability was publicly disclosed on 2026-03-31. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's severity is assessed as Medium. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation makes it a potential target for automated attacks.
WordPress websites utilizing the Minify HTML plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally are also potentially vulnerable if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'minify_html_menu_options' /var/www/html/wp-content/plugins/minify-html/includes/• wordpress / composer / npm:
wp plugin list | grep minify-html• wordpress / composer / npm:
wp plugin update minify-htmldisclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3191 is to immediately upgrade the Minify HTML plugin to version 2.1.13 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding on any user-facing forms that interact with the plugin's settings. Employing a Web Application Firewall (WAF) with XSRF protection rules can also help mitigate the risk. Verify the upgrade by checking the plugin version within the WordPress admin dashboard and confirming that the 'minifyhtmlmenu_options' function now includes proper nonce validation.
Aktualisieren Sie auf Version 2.1.13 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3191 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Minify HTML WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the Minify HTML plugin in WordPress versions 0.0.0 through 2.1.12. Upgrade to 2.1.13 or later to mitigate the risk.
Upgrade the Minify HTML plugin to version 2.1.13 or later. If immediate upgrade is not possible, consider WAF rules and input validation.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WordPress security announcements and the Minify HTML plugin's repository for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.