{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1392", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T20:55:25.537Z", "datePublished": "2026-03-21T03:26:51.108Z", "dateUpdated": "2026-04-08T17:00:46.487Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:46.487Z"}, "affected": [{"vendor": "superrishi", "product": "SR WP Minify HTML", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/728aa62d-4853-4f55-9b77-82dfa6525b8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/trunk/class.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/tags/2.1/class.php#L33"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-03-20T15:19:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:06:41.266861Z", "id": "CVE-2026-1392", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:06:50.626Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:06:41.266861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:06:46.644Z"}}], "cna": {"title": "SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "superrishi", "product": "SR WP Minify HTML", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:19:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/728aa62d-4853-4f55-9b77-82dfa6525b8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/trunk/class.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/tags/2.1/class.php#L33"}], "descriptions": [{"lang": "en", "value": "The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:46.487Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1392", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:46.487Z", "dateReserved": "2026-01-23T20:55:25.537Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:51.108Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin SR WP Minify HTML para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 2.1, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n sr_minify_html_theme(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1392", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:53.193", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/tags/2.1/class.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sr-wp-minify-html/trunk/class.php#L33"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/728aa62d-4853-4f55-9b77-82dfa6525b8a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SR WP Minify HTML", "source": "cna", "vendor": "superrishi"}, "product": "sr_wp_minify_html", "vendor": "superrishi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:23:28.274848+00:00", "value": {"mitigation_remediation": ["Update SR WP Minify HTML to a version newer than 2.1 if available", "If update is not possible, disable or delete the plugin"], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Settings Modification via Cross-Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the superrishi SR WP Minify HTML plugin versions up to and including 2.1 on all WordPress sites that have the plugin installed. Any site that has a version of this plugin below 2.2 is at risk. Administrators who have not upgraded after the public release of version 2.1 remain exposed.", "description_and_impact": "The SR WP Minify HTML plugin for WordPress contains a Cross\u2011Site Request Forgery flaw due to missing nonce validation in the sr_minify_html_theme() function. An unauthenticated attacker can forge a request that an administrator accepts, resulting in direct modification of the plugin\u2019s settings. This could alter the website\u2019s presentation or enable unintended features, and may be leveraged to facilitate further attacks if the plugin exposes additional configuration options.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an administrator to be tricked into clicking a crafted link or submitting a forged form, which is common in many CSRF scenarios. Because the attacker does not need elevated privileges and only needs to target an admin\u2019s authenticated session, the risk to an organization depends on the presence of the vulnerable plugin and the diligence of its administrators. While the impact is limited to configuration changes, if those changes are used to further compromise the site it can have cascading effects."}}}}, "created": "2026-03-23T09:50:29.880986+00:00", "updated": "2026-03-25T14:42:02.886016+00:00", "vendors": ["superrishi", "superrishi$PRODUCT$sr_wp_minify_html", "wordpress", "wordpress$PRODUCT$wordpress"]}