CVE-2023-26014: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Tim Eckel Minify HTML WordPress plugin, affecting versions 2.1.7 and below. The vulnerability was reported on February 21, 2023, and was assigned CVE-2023-26014. The security issue allows attackers to manipulate plugin settings through CSRF attacks targeting authenticated administrators (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection mechanisms when updating its settings. It has been assigned a CVSS v3.1 base score of 4.3 (Medium) by Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. However, NIST's NVD assessment provides a higher CVSS score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability could allow malicious actors to force privileged users to execute unwanted actions under their current authentication. This could lead to unauthorized changes to the plugin's settings when an authenticated administrator visits a malicious webpage (Patchstack).

The vulnerability has been patched in version 2.1.8 of the Minify HTML plugin. Users are advised to update to version 2.1.8 or later to remove the vulnerability. For users unable to update immediately, no specific workarounds have been provided (WPScan).