プラットフォーム
wordpress
コンポーネント
merge-minify-refresh
修正版
2.15
CVE-2026-24384 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Merge + Minify + Refresh plugin for WordPress. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0.0 through 2.14, but a fix is available in version 2.15.
A successful CSRF attack could allow an attacker to modify plugin settings, delete files, or perform other actions as the logged-in user. The impact is amplified if the user has administrative privileges, potentially granting the attacker control over the entire WordPress site. This vulnerability is particularly concerning because it can be exploited without requiring the attacker to know the user's password, relying instead on social engineering or malicious websites. The blast radius extends to any user who interacts with the vulnerable plugin, making it a widespread risk for WordPress installations using Merge + Minify + Refresh.
CVE-2026-24384 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The medium CVSS score indicates a moderate risk of exploitation, particularly given the ease with which CSRF attacks can be launched.
WordPress websites utilizing the Merge + Minify + Refresh plugin, particularly those running older versions (0.0.0–2.14), are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't been updated to the latest version. Administrators and users with significant permissions within the WordPress site are at the highest risk.
• wordpress / composer / npm:
grep -r 'merge-minify-refresh' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Merge + Minify + Refresh'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/merge-minify-refresh/ | grep Serverdisclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to version 2.15 or later of the Merge + Minify + Refresh plugin. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, implement strict input validation and output encoding to prevent malicious scripts from being injected. Monitor web application firewalls (WAFs) for suspicious requests targeting the plugin's endpoints. After upgrade, confirm functionality by testing key plugin features and ensuring no unexpected behavior occurs.
バージョン 2.15 以上、または最新の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-24384 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.14 of the Merge + Minify + Refresh WordPress plugin, allowing attackers to perform unauthorized actions.
If you are using Merge + Minify + Refresh version 0.0.0 through 2.14 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade to version 2.15 or later of the Merge + Minify + Refresh plugin to resolve the CSRF vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the official Merge + Minify + Refresh plugin documentation and WordPress security announcements for the latest advisory information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。