The launchinteractive Merge + Minify + Refresh plugin versions up to 2.14 contain a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to trick authenticated users into submitting unauthorized requests that could alter the plugin's behavior or settings. The CVSS 3.1 base score is 5.4, reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The impact includes low confidentiality impact, low integrity impact, and low availability impact. No patch or official fix details are currently available, and no known exploits have been reported.

An attacker could exploit this CSRF vulnerability to cause an authenticated user to perform unintended actions within the Merge + Minify + Refresh plugin, potentially leading to limited integrity and availability impacts. There is no indication of confidentiality compromise. The medium severity rating reflects the moderate risk posed by this vulnerability given the need for user interaction and no privileges required.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider implementing CSRF protections at the application or web server level if possible, or restrict access to trusted users only. No vendor advisory states that no action is required or that the issue is already mitigated.