Scan free
MEDIUMCVE-2026-1392CVSS 4.3

CVE-2026-1392: CSRF in SR WP Minify HTML WordPress Plugin

Platform

wordpress

Component

sr-wp-minify-html

Fixed in

2.2

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-1392 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SR WP Minify HTML plugin for WordPress. This flaw allows unauthenticated attackers to modify plugin settings by crafting malicious requests, potentially impacting website performance and security. The vulnerability affects versions from 0.0.0 through 2.1, and a patch is available in version 2.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker exploiting this CSRF vulnerability could leverage a forged request to modify the SR WP Minify HTML plugin's settings. This could involve disabling minification, altering file inclusion paths, or introducing malicious code through configuration changes. Successful exploitation could lead to degraded website performance, increased attack surface, and potential code execution if the plugin interacts with other sensitive components. The impact is amplified if the website administrator is tricked into clicking a malicious link while logged in, granting the attacker the necessary permissions to execute the forged request.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-21. There are currently no known public exploits or active campaigns targeting this specific CVE. It is not listed on the CISA KEV catalog. The lack of public exploits suggests a low probability of immediate exploitation, but vigilance is still advised, especially given the ease of CSRF exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (2% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentsr-wp-minify-html
Vendorwordfence
Affected rangeFixed in
0.0.0 – 2.12.2

Package Information

Active installs
10
Plugin rating
0.0
Requires WordPress
4.5+
Compatible up to
4.9.28
Requires PHP
5.2.0+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-1392 is to immediately upgrade the SR WP Minify HTML plugin to version 2.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests with missing or invalid nonce values for the srminifyhtml_theme() function. Additionally, restrict access to plugin settings pages to authorized administrators only. Regularly review plugin configurations for any unauthorized changes. After upgrading, confirm the fix by attempting to access the plugin settings page while logged in as a non-administrator user and verifying that the request is denied.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1392 — CSRF in SR WP Minify HTML?

CVE-2026-1392 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the SR WP Minify HTML WordPress plugin, allowing attackers to modify plugin settings via forged requests.

Am I affected by CVE-2026-1392 in SR WP Minify HTML?

You are affected if you are using the SR WP Minify HTML plugin versions 0.0.0 through 2.1. Upgrade to version 2.2 or later to mitigate the risk.

How do I fix CVE-2026-1392 in SR WP Minify HTML?

Upgrade the SR WP Minify HTML plugin to version 2.2 or later. As a temporary workaround, implement a WAF rule to block requests with missing or invalid nonce values.

Is CVE-2026-1392 being actively exploited?

There are currently no known public exploits or active campaigns targeting CVE-2026-1392, but vigilance is still advised.

Where can I find the official SR WP Minify HTML advisory for CVE-2026-1392?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs