{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3191", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-25T09:05:41.076Z", "datePublished": "2026-03-31T11:18:56.726Z", "dateUpdated": "2026-04-08T17:35:04.350Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:04.350Z"}, "affected": [{"vendor": "teckel", "product": "Minify HTML", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe14b92b-1784-4083-9b9f-23d7f69a3215?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/minify-html-markup/tags/2.1.12/minify-html.php#L139"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486011/minify-html-markup"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-30T23:01:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:06:40.524972Z", "id": "CVE-2026-3191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:07:47.533Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:06:40.524972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:06:54.505Z"}}], "cna": {"title": "Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "teckel", "product": "Minify HTML", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-30T23:01:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe14b92b-1784-4083-9b9f-23d7f69a3215?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/minify-html-markup/tags/2.1.12/minify-html.php#L139"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486011/minify-html-markup"}], "descriptions": [{"lang": "en", "value": "The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:04.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3191", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:04.350Z", "dateReserved": "2026-02-25T09:05:41.076Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-31T11:18:56.726Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-3191", "lastModified": "2026-04-24T18:11:16.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-31T12:16:31.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/minify-html-markup/tags/2.1.12/minify-html.php#L139"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3486011/minify-html-markup"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe14b92b-1784-4083-9b9f-23d7f69a3215?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Minify HTML", "source": "cna", "vendor": "teckel"}, "product": "minify_html", "vendor": "teckel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T12:21:41.988281+00:00", "value": {"mitigation_remediation": ["Upgrade the Minify HTML plugin to the latest available version that addresses the nonce validation issue. If an immediate upgrade is not possible, consider removing or disabling the plugin entirely to prevent configuration changes."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Request Forgery allowing unauthenticated modification of plugin settings"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the Minify HTML plugin with a version less than or equal to 2.1.12 is affected. No other vendors or products are listed, and the vulnerable version range stops at 2.1.12, with no additional sub\u2011versions specified.", "description_and_impact": "The Minify HTML plugin for WordPress, in all releases up to version 2.1.12, has a missing or incorrect nonce check in the minify_html_menu_options function. This flaw enables a forged request that an administrator may unknowingly submit, thereby changing the plugin\u2019s configuration. The flaw is a classic Cross\u2011Site Request Forgery (CWE\u2011352) that results in unauthorized configuration changes, potentially affecting site performance or exposing the site to further attacks.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity. Exploitation requires a social\u2011engineering vector: an attacker must entice a logged\u2011in administrator to load a crafted URL that triggers the vulnerable function. The EPSS score is not provided, and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. Therefore, while the likelihood of a broad, automated attack appears low, the risk to any site with vulnerable plugin remains moderate due to reliance on administrator action."}}}}, "created": "2026-03-31T19:54:57.375588+00:00", "updated": "2026-03-31T20:38:51.366906+00:00", "vendors": ["teckel", "teckel$PRODUCT$minify_html", "wordpress", "wordpress$PRODUCT$wordpress"]}