NIXPKGS-2026-0079

GitHub issue published on 23 Jan 2026

Permalink CVE-2026-24384

updated 4 weeks, 1 day ago by @LeSuisse Activity log

Created automatic suggestion 4 weeks, 1 day ago
@LeSuisse accepted 4 weeks, 1 day ago
@LeSuisse published on GitHub 4 weeks, 1 day ago

WordPress Merge + Minify + Refresh plugin <= 2.14 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through <= 2.14.

Affected products

merge-minify-refresh

=<<= 2.14

Matching in nixpkgs

pkgs.wordpressPackages.plugins.merge-minify-refresh

None

nixos-unstable 2.12
- nixpkgs-unstable 2.12
- nixos-unstable-small 2.12

Needs to be upgraded to 2.15: https://wordpress.org/plugins/merge-minify-refresh/#developers

Upstream fix: https://github.com/Launch-Interactive/Merge-Minify-Refresh/commit/653e114c01940c43c50418ae1489ad2ce23cbe04

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0079

Affected products

Matching in nixpkgs

pkgs.wordpressPackages.plugins.merge-minify-refresh