[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDVcr1f2Xz51Tthtvbc8hYGp1nQ4YVo5rWwqo-piqmu4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-3191","minify-html-cross-site-request-forgery-to-plugin-settings-update","Minify HTML \u003C= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update","The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","minify-html-markup",null,"\u003C=2.1.12","2.1.13","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Cross-Site Request Forgery (CSRF)","2026-03-30 23:01:56","2026-03-31 11:18:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffe14b92b-1784-4083-9b9f-23d7f69a3215?source=api-prod",1,[22,23],"minify-html.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-3191 (Minify HTML CSRF)\n\n## 1. Vulnerability Summary\nThe **Minify HTML** plugin (\u003C= 2.1.12) contains a Cross-Site Request Forgery (CSRF) vulnerability in its settings management logic. The function `minify_html_menu_options` responsible for updating plugin configurations fails to properly enforce nonce verification. Specifically, the code only performs `wp_verify_nonce` if the nonce parameter is present in the `$_POST` request. By omitting the nonce parameter entirely, an attacker can bypass the check and update site options, provided they can trick an administrator into submitting a forged request.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Foptions-general.php?page=minify_html_options`\n- **HTTP Method:** `POST`\n- **Vulnerable Action:** The settings update logic is triggered when `minify_html_submit_hidden` is set to `Y`.\n- **Target Parameters:**\n    - `minify_html_submit_hidden`: Must be `Y`.\n    - `minify_html_active`: `yes` or `no`.\n    - `minify_javascript`: `yes` or `no`.\n    - `minify_html_comments`: `yes` or `no`.\n    - `minify_html_xhtml`: `yes` or `no`.\n    - `minify_html_relative`: `yes` or `no`.\n    - `minify_html_scheme`: `yes` or `no`.\n    - `minify_html_utf8`: `yes` or `no`.\n- **Authentication:** Requires an active Administrator session.\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\nThe vulnerability is located in `minify-html.php`:\n\n1.  **Entry Point:** The plugin registers an options page via `teckel_minify_html_menu()`:\n    ```php\n    add_options_page( 'Minify HTML Options', 'Minify HTML', 'manage_options', 'minify_html_options', 'minify_html_menu_options' );\n    ```\n2.  **Processing Function:** When the page is accessed (via `GET` or `POST`), `minify_html_menu_options()` executes.\n3.  **Submission Trigger:** The function checks for the submission flag:\n    ```php\n    if ( isset($_POST[ 'minify_html_submit_hidden' ]) && $_POST[ 'minify_html_submit_hidden' ] == 'Y' ) {\n    ```\n4.  **Vulnerable Nonce Check (Line ~102):**\n    ```php\n    if ( isset( $_POST['minify_html_nonce'] ) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['minify_html_nonce'] ) ), 'minify-html-nonce' ) ) {\n        wp_die( esc_html( 'Form failed nonce verification.' ) );\n    }\n    ```\n    - **Vulnerability:** If `$_POST['minify_html_nonce']` is not set, the entire `if` block is skipped. The code proceeds directly to process and save the options via `update_option()`.\n\n## 4. Nonce Acquisition Strategy\n**Bypass Strategy:** No nonce acquisition is required for this exploit. The vulnerability is a **conditional nonce check bypass**. By simply omitting the `minify_html_nonce` key from the `POST` body, the security check is avoided entirely.\n\n## 5. Exploitation Strategy\nThe exploitation will use a forged `POST` request to disable all minification features.\n\n### Step-by-Step Plan:\n1.  **Session Setup:** Use the `http_request` tool with administrator cookies to simulate the CSRF attack.\n2.  **Payload Construction:**\n    - URL: `[BASE_URL]\u002Fwp-admin\u002Foptions-general.php?page=minify_html_options`\n    - Method: `POST`\n    - Content-Type: `application\u002Fx-www-form-urlencoded`\n    - Body:\n      ```\n      minify_html_submit_hidden=Y&minify_html_active=no&minify_javascript=no&minify_html_comments=no&minify_html_xhtml=no&minify_html_relative=no&minify_html_scheme=no&minify_html_utf8=no\n      ```\n    - **Note:** Do not include the `minify_html_nonce` parameter.\n3.  **Execution:** Send the request. Since `minify_html_nonce` is missing, the code will skip the verification and execute `update_option` calls for each parameter.\n\n## 6. Test Data Setup\n1.  Ensure the plugin \"Minify HTML\" is installed and activated.\n2.  Pre-set options to known values using WP-CLI to ensure a clean state:\n    ```bash\n    wp option update minify_html_active yes\n    wp option update minify_javascript yes\n    wp option update minify_html_comments yes\n    ```\n\n## 7. Expected Results\n- The HTTP response should be a `200 OK` (the page reloads showing the settings).\n- The response body will contain the settings page HTML, and the inputs for the options (e.g., `minify_html_active`) will now be set to \"no\" (unselected or the \"no\" radio button checked).\n- No \"Form failed nonce verification\" error should appear.\n\n## 8. Verification Steps\nAfter the `http_request` call, verify the database state using WP-CLI:\n```bash\n# Check if the primary toggle was disabled\nwp option get minify_html_active \n# Expected output: no\n\n# Check if other settings were changed\nwp option get minify_javascript\n# Expected output: no\n```\n\n## 9. Alternative Approaches\nIf the plugin logic was slightly different (e.g., if it used `check_admin_referer` without a nonce but verified the Referer header), the exploit would need to ensure the `Referer` header matches the admin URL. However, in this specific case, the `isset()` check on the nonce is the primary flaw. \n\nAnother impact test: Change `minify_html_relative` to `yes` to potentially break site links if the host isn't correctly handled, proving the ability to disrupt site functionality.","The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.1.12 because it uses a conditional nonce check. By omitting the nonce parameter from a POST request, an attacker can bypass security verification and update the plugin's configuration settings if they can trick an administrator into performing an action like clicking a link.","\u002F\u002F minify-html.php around line 139\n\tif ( isset($_POST[ 'minify_html_submit_hidden' ]) && $_POST[ 'minify_html_submit_hidden' ] == 'Y' ) {\n\t\tif ( isset( $_POST['minify_html_nonce'] ) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['minify_html_nonce'] ) ), 'minify-html-nonce' ) ) {\n\t\t\twp_die( esc_html( 'Form failed nonce verification.' ) );\n\t\t}\n\t\tif ( isset( $_POST[ 'minify_html_active' ] ) ) $minify_html_active = filter_var ( wp_unslash( $_POST[ 'minify_html_active' ] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ); else $minify_html_active = 'yes';\n\t\t\u002F\u002F ... (rest of option saving logic)","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fminify-html-markup\u002F2.1.12\u002Fminify-html.php\t2025-01-15 15:41:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fminify-html-markup\u002F2.1.13\u002Fminify-html.php\t2026-03-18 20:31:56.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Minify HTML\n Plugin URI: https:\u002F\u002Fwww.wordpress.org\u002Fplugins\u002Fminify-html-markup\u002F\n Description: Minify your HTML for faster downloading and cleaning up sloppy looking markup.\n-Version: 2.1.12\n+Version: 2.1.13\n Author: Tim Eckel\n Author URI: https:\u002F\u002Fwww.dogblocker.com\n License: GPLv3 or later\n@@ -12,7 +12,7 @@\n *\u002F\n \n \u002F*\n-\tCopyright 2025  Tim Eckel  (email : eckel.tim@gmail.com)\n+\tCopyright 2026  Tim Eckel  (email : eckel.tim@gmail.com)\n \n \tMinify HTML is free software; you can redistribute it and\u002For modify\n \tit under the terms of the GNU General Public License as published by\n@@ -137,8 +137,8 @@\n \tif ( !$minify_html_scheme ) $minify_html_scheme = 'no';\n \tif ( !$minify_html_utf8 ) $minify_html_utf8 = 'no';\n \tif ( isset($_POST[ 'minify_html_submit_hidden' ]) && $_POST[ 'minify_html_submit_hidden' ] == 'Y' ) {\n-\t\tif ( isset( $_POST['minify_html_nonce'] ) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['minify_html_nonce'] ) ), 'minify-html-nonce' ) ) {\n-\t\t\twp_die( esc_html( 'Form failed nonce verification.' ) );\n+\t\tif ( !isset( $_POST['minify_html_nonce'] ) || !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['minify_html_nonce'] ) ), 'minify-html-nonce' ) ) {\n+\t\t\twp_die( esc_html( 'Security check failed. Nonce missing or invalid.' ) );\n \t\t}\n \t\tif ( isset( $_POST[ 'minify_html_active' ] ) ) $minify_html_active = filter_var ( wp_unslash( $_POST[ 'minify_html_active' ] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ); else $minify_html_active = 'yes';\n \t\tif ( isset( $_POST[ 'minify_javascript' ] ) ) $minify_javascript = filter_var ( wp_unslash( $_POST[ 'minify_javascript' ] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ); else $minify_javascript = 'yes';","The exploit leverages a flaw where the plugin's settings update logic only verifies the nonce if it is explicitly provided in the POST body. An unauthenticated attacker can craft a malicious HTML page that sends a POST request to \u002Fwp-admin\u002Foptions-general.php?page=minify_html_options. The payload must include 'minify_html_submit_hidden=Y' and the desired settings (e.g., 'minify_html_active=no' to disable minification), but it must NOT include the 'minify_html_nonce' parameter. If an authenticated administrator visits this page, their browser will submit the request, and the plugin will save the malicious settings, bypassing the security check entirely.","gemini-3-flash-preview","2026-04-17 22:08:18","2026-04-17 22:08:36",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.1.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminify-html-markup\u002Ftags\u002F2.1.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminify-html-markup.2.1.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminify-html-markup\u002Ftags\u002F2.1.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminify-html-markup.2.1.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminify-html-markup\u002Ftags"]