プラットフォーム
wordpress
コンポーネント
sr-wp-minify-html
修正版
2.2
CVE-2026-1392 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the SR WP Minify HTML plugin for WordPress. This flaw allows unauthenticated attackers to modify plugin settings by crafting malicious requests, potentially impacting website performance and security. The vulnerability affects versions from 0.0.0 through 2.1, and a patch is available in version 2.2.
An attacker exploiting this CSRF vulnerability could leverage a forged request to modify the SR WP Minify HTML plugin's settings. This could involve disabling minification, altering file inclusion paths, or introducing malicious code through configuration changes. Successful exploitation could lead to degraded website performance, increased attack surface, and potential code execution if the plugin interacts with other sensitive components. The impact is amplified if the website administrator is tricked into clicking a malicious link while logged in, granting the attacker the necessary permissions to execute the forged request.
This vulnerability was publicly disclosed on 2026-03-21. There are currently no known public exploits or active campaigns targeting this specific CVE. It is not listed on the CISA KEV catalog. The lack of public exploits suggests a low probability of immediate exploitation, but vigilance is still advised, especially given the ease of CSRF exploitation.
Websites using the SR WP Minify HTML plugin, particularly those with shared hosting environments or lacking robust administrator access controls, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'sr_minify_html_theme()' /var/www/html/wp-content/plugins/sr-wp-minify-html/ | grep -i 'nonce'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=sr_minify_html_theme&nonce=invalid | grep -i '200 OK'disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1392 is to immediately upgrade the SR WP Minify HTML plugin to version 2.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests with missing or invalid nonce values for the srminifyhtml_theme() function. Additionally, restrict access to plugin settings pages to authorized administrators only. Regularly review plugin configurations for any unauthorized changes. After upgrading, confirm the fix by attempting to access the plugin settings page while logged in as a non-administrator user and verifying that the request is denied.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1392 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the SR WP Minify HTML WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the SR WP Minify HTML plugin versions 0.0.0 through 2.1. Upgrade to version 2.2 or later to mitigate the risk.
Upgrade the SR WP Minify HTML plugin to version 2.2 or later. As a temporary workaround, implement a WAF rule to block requests with missing or invalid nonce values.
There are currently no known public exploits or active campaigns targeting CVE-2026-1392, but vigilance is still advised.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。