Platform
wordpress
Component
minify-html-markup
Fixed in
2.1.13
CVE-2026-3191 describes a Cross-Site Request Forgery (XSRF) vulnerability present in the Minify HTML plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests, potentially impacting website performance and functionality. The vulnerability affects versions from 0.0.0 up to and including 2.1.12. A fix is available in version 2.1.13.
An attacker exploiting this XSRF vulnerability could leverage a forged request to modify the Minify HTML plugin's configuration. This could involve disabling minification, altering file exclusion rules, or changing other settings that impact website performance. While the plugin itself doesn't directly expose sensitive user data, modifications to its configuration could indirectly impact website speed and potentially create other vulnerabilities. The impact is amplified if the attacker can trick a site administrator into performing the malicious action, making it a persistent threat.
This vulnerability was publicly disclosed on 2026-03-31. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's severity is assessed as Medium. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation makes it a potential target for automated attacks.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3191 is to immediately upgrade the Minify HTML plugin to version 2.1.13 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding on any user-facing forms that interact with the plugin's settings. Employing a Web Application Firewall (WAF) with XSRF protection rules can also help mitigate the risk. Verify the upgrade by checking the plugin version within the WordPress admin dashboard and confirming that the 'minifyhtmlmenu_options' function now includes proper nonce validation.
Update to version 2.1.13, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3191 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Minify HTML WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the Minify HTML plugin in WordPress versions 0.0.0 through 2.1.12. Upgrade to 2.1.13 or later to mitigate the risk.
Upgrade the Minify HTML plugin to version 2.1.13 or later. If immediate upgrade is not possible, consider WAF rules and input validation.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WordPress security announcements and the Minify HTML plugin's repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.