WP-Safety

Seraphinite Accelerator Security & Risk Analysis

wordpress.org/plugins/seraphinite-accelerator

Turns on site high speed to be attractive for people and search engines.

60K active installs v2.28.15 PHP 7.1+ WP 4.5+ Updated Feb 23, 2026
cacheoptimizepagespeedperformancespeed-up
95
A · Safe
CVEs total9
Unpatched0
Last CVEMar 3, 2026
Plugin page Download
Safety Verdict

Is Seraphinite Accelerator Safe to Use in 2026?

Generally Safe

Score 95/100

Seraphinite Accelerator has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Mar 3, 2026Updated 1mo ago
Risk Assessment

The Seraphinite Accelerator plugin, version 2.28.15, presents a significant security risk primarily due to its unprotected AJAX handlers and a history of diverse vulnerabilities. While the plugin demonstrates some good practices, such as a high percentage of prepared SQL statements and a substantial number of output escaping instances, these are overshadowed by critical security flaws. The presence of two AJAX handlers without authentication checks is a major concern, directly exposing potentially sensitive functionalities to unauthenticated users. Coupled with 6 out of 9 analyzed taint flows involving unsanitized paths, this indicates a high likelihood of code injection or path traversal vulnerabilities that could be exploited. The plugin's past vulnerability history, including 9 medium-severity CVEs covering missing authorization, SSRF, information exposure, XSS, CSRF, and open redirects, further exacerbates the risk. Although no critical or high vulnerabilities are currently unpatched, the recurring patterns of such weaknesses suggest inherent architectural flaws that may not be fully addressed in this version. This plugin requires immediate attention and remediation to mitigate its current risks.

Key Concerns

  • Unprotected AJAX handlers found
  • High number of unsanitized paths in taint flows
  • History of 9 medium severity CVEs
  • Use of dangerous functions (unserialize, proc_open)
  • Low percentage of properly escaped output
Vulnerabilities
9

Seraphinite Accelerator Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
9

9 total CVEs

CVE-2026-3058medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor

Mar 3, 2026 Patched in 2.28.15 (1d)
CVE-2026-3056medium · 4.3Missing Authorization

Seraphinite Accelerator <= 2.28.14 - Missing Authorization to Authenticated (Subscriber+) Log Clearing

Mar 3, 2026 Patched in 2.28.15 (1d)
CVE-2025-6059medium · 4.3Cross-Site Request Forgery (CSRF)

Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions

Apr 29, 2025 Patched in 2.27.22 (46d)
CVE-2024-1568medium · 6.4Server-Side Request Forgery (SSRF)

Seraphinite Accelerator <= 2.20.52 - Authenticated (Subscriber+) Server-Side Request Forgery in OnAdminApi_HtmlCheck

Feb 27, 2024 Patched in 2.21 (1d)
CVE-2024-22138medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Seraphinite Accelerator <= 2.20.47 - Unauthenticated Sensitive Information Exposure via Log File

Jan 8, 2024 Patched in 2.20.48 (25d)
CVE-2023-49740medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Seraphinite Accelerator <= 2.20.28 - Reflected Cross-Site Scripting via rt

Dec 1, 2023 Patched in 2.20.29 (53d)
CVE-2023-5611medium · 4.3Cross-Site Request Forgery (CSRF)

Seraphinite Accelerator (Base, cache only) <= 2.20.31 - Cross-Site Request Forgery

Oct 29, 2023 Patched in 2.20.32 (86d)
CVE-2023-5610medium · 5.4URL Redirection to Untrusted Site ('Open Redirect')

Seraphinite Accelerator <= 2.20.28 - Arbitrary Redirect via 'redir'

Oct 27, 2023 Patched in 2.20.29 (88d)
CVE-2023-5609medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Seraphinite Accelerator <= 2.20.28 - Reflected Cross-Site Scripting via 'rt'

Oct 27, 2023 Patched in 2.20.29 (88d)
Code Analysis
Analyzed Mar 16, 2026

Seraphinite Accelerator Code Analysis

Dangerous Functions
19
Raw SQL Queries
2
11 prepared
Unescaped Output
135
174 escaped
Nonce Checks
6
Capability Checks
15
File Operations
142
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$v = @unserialize( $data );Cmn\Gen.php:322
unserialize$chunk -> a = @unserialize( $chunk -> a );Cmn\Gen.php:2845
proc_open$hProc = @proc_open( $cmdline, array( 2 => array( 'pipe', 'w' ) ), $pipes, null, null, array( 'bypasCmn\Img.php:375
proc_open$hProc = @proc_open( $cmdline, array( 2 => array( 'pipe', 'w' ) ), $pipes, null, null, array( 'bypasCmn\Img.php:729
proc_open$hProc = @proc_open( $cmdline, array( 2 => array( 'pipe', 'w' ) ), $pipes, null, null, array( 'bypasCmn\Img.php:846
unserialize$val = ( $val !== false ) ? @unserialize( $val ) : null;Cmn\Plugin.php:163
unserialize$data = Gen::GetArrField( @unserialize( ( string )Gen::FileContentExclusive_Get( $h ) ), array( 'datCmn\Plugin.php:786
unserialize$data = Gen::GetArrField( @unserialize( ( string )Gen::FileContentExclusive_Get( $h ) ), array( 'datCmn\Plugin.php:827
unserialize$data = Gen::GetArrField( @unserialize( ( string )Gen::FileContentExclusive_Get( $h ) ), array( 'datCmn\Plugin.php:882
unserialize$data = Gen::GetArrField( @unserialize( Gen::FileContentExclusive_Get( $h, '' ) ), array( 'data' ), Cmn\Plugin.php:1045
unserialize$data = Gen::GetArrField( @unserialize( Gen::FileContentExclusive_Get( $h, '' ) ), array( 'data' ), Cmn\Plugin.php:1111
unserialize$data = Gen::GetArrField( @unserialize( Gen::FileContentExclusive_Get( $h, '' ) ), array( 'data' ), Cmn\Plugin.php:1150
unserializereturn( @unserialize( @file_get_contents( $filePath ) ) );common.php:3141
unserialize$data = @unserialize( $data );common.php:3369
unserialize$data = @unserialize( @file_get_contents( $fileTempQueue ) );common.php:4271
unserialize$data = is_string( $data ) ? @unserialize( $data ) : null;common.php:4609
unserialize$dataPrev = @unserialize( $dataPrev );common.php:4652
unserializereturn( Gen::GetArrField( unserialize( ( string )base64_decode( Gen::GetArrField( $sett, array( 'caccommon.php:5695
unserialize$aRegionsIp = @unserialize( $data );common.php:5800

SQL Query Safety

85% prepared13 total queries

Output Escaping

56% escaped309 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

9 flows6 with unsanitized paths
_Process (cache.php:48)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Seraphinite Accelerator Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_seraph_accel_actCmn\Plugin.php:502
authwp_ajax_seraph_accel_apiCmn\Plugin.php:598
WordPress Hooks 82
actiontemplate_redirectcache.php:327
filterwp_redirect_statuscache.php:338
actionmuplugins_loadedcache.php:1364
actionwp_loadedcache.php:1367
actionmuplugins_loadedcache.php:1369
filternginxchampuru_get_reverse_proxy_keycache_ext.php:239
filterwpe_purge_varnish_cache_pathscache_ext.php:648
filterpre_cache_alloptionscache_obj.php:198
actionadded_optioncache_obj.php:206
actionupdated_optioncache_obj.php:207
actiondeleted_optioncache_obj.php:208
actionshutdowncache_obj.php:218
filtersafe_style_cssCmn\Gen.php:4844
filteroption_homeCmn\Gen.php:4937
filteroption_homeCmn\Gen.php:4938
filterhome_urlCmn\Gen.php:4941
filteroption_siteurlCmn\Gen.php:4969
filteroption_siteurlCmn\Gen.php:4970
filtersite_urlCmn\Gen.php:4972
actionrequests-requests.before_requestCmn\Gen.php:5190
actionrequests-requests.before_parseCmn\Gen.php:5191
filterhome_urlCmn\Gen.php:6029
filterwpml_get_language_from_urlCmn\Gen.php:6034
filterhome_urlCmn\Gen.php:6039
filterload_textdomain_mofileCmn\Gen.php:6413
filterpost_linkCmn\Gen.php:6564
actionadmin_noticesCmn\Plugin.php:483
actionnetwork_admin_noticesCmn\Plugin.php:484
actionplugins_loadedCmn\Plugin.php:488
actionchange_localeCmn\Plugin.php:489
actionwp_loadedCmn\Plugin.php:498
filterremovable_query_argsCmn\Plugin.php:504
actionadmin_initCmn\Plugin.php:512
actionseraph_accel_postOpsResCmn\Plugin.php:526
actionadmin_enqueue_scriptsCmn\Plugin.php:544
actionwp_loadedCmn\Plugin.php:583
filterplugins_update_check_localesCmn\Plugin.php:591
actionadmin_post_nopriv_seraph_accel_apiCmn\Plugin.php:593
actionadmin_post_seraph_accel_apiCmn\Plugin.php:594
actionadmin_footerCmn\Plugin.php:653
filteradmin_footer_textCmn\Plugin.php:1340
actionwp_loadedcommon.php:3283
filternonce_lifecommon.php:5634
filterwpforms_form_token_check_before_todaycommon.php:5651
actionadmin_initmain.php:61
actionseraph_accel_postOpsResmain.php:74
actionadmin_noticesmain.php:89
actionadded_optionmain.php:93
actionupdated_optionmain.php:94
actiondeleted_optionmain.php:95
actiontransition_post_statusmain.php:143
actionadd_term_relationshipmain.php:148
actiondelete_term_relationshipsmain.php:149
actiondeleted_term_relationshipsmain.php:150
actionset_object_termsmain.php:151
actionedit_postmain.php:153
actionpmxi_saved_postmain.php:155
actionpre_post_updatemain.php:156
actionpost_updatedmain.php:157
actionbefore_delete_postmain.php:158
actionwp_update_comment_countmain.php:159
filterwp_update_comment_datamain.php:160
actionadded_post_metamain.php:166
actionupdated_post_metamain.php:167
actiondeleted_post_metamain.php:168
filterpre_update_option_permalink-manager-urismain.php:170
actioninitmain.php:196
actionwoocommerce_geoip_updatermain.php:204
actionshutdownmain.php:239
actionset_logged_in_cookiemain.php:264
actionclear_auth_cookiemain.php:271
filteritglx_wc1c_ignore_catalog_file_processingmain.php:303
actionwp_loadedmain.php:311
actionrest_api_initmain.php:318
actioninitmain.php:319
actioninitmain.php:324
actioninitmain.php:347
actionwoocommerce_geoip_updatermain.php:1087
actionwoocommerce_geoip_updatermain.php:1254
actionwoocommerce_geoip_updatermain.php:1255
filterhmwp_umrewritesoptions.php:6660
filterhmwp_rewritesoptions.php:6661
Maintenance & Trust

Seraphinite Accelerator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.1
Downloads803K

Community Trust

Rating96/100
Number of ratings472
Active installs60K
Alternatives

Seraphinite Accelerator Alternatives

WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 6 CVEs
10Web Booster – Website speed optimization, Cache & Page Speed optimizer

10Web Booster – Website speed optimization, Cache & Page Speed optimizer

tenweb-speed-optimizer

A
86

Speed up your site with 10Web Booster. Pass Core Web Vitals by optimizing HTML / CSS / JavaScript, Image Optimization, Lazy Loading, Cache, Google Fon &hellip;

90K 5 CVEs
Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

clearfy

A
95

Optimize and tweak WordPress by disable unused features. Improve performance, SEO and security using Clearfy — super easy, fast and zero code.

50K 6 CVEs
JCH Optimize

JCH Optimize

jch-optimize

A
98

This plugin automatically performs several front end optimizations to your site to boost performance and increase PageSpeed scores.

4K 3 CVEs
Developer Profile

Seraphinite Accelerator Developer Profile

Seraphinite Solutions

5 plugins · 61K total installs

84
trust score
Avg Security Score
94/100
Avg Patch Time
36 days
View full developer profile
Detection Fingerprints

How We Detect Seraphinite Accelerator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/seraphinite-accelerator/seraphinite-accelerator.php
Script Paths
/wp-content/plugins/seraphinite-accelerator/seraphinite-accelerator.php
Version Parameters
seraphinite-accelerator/seraphinite-accelerator.php?ver=seraphinite-accelerator/script.js?ver=seraphinite-accelerator/style.css?ver=seraphinite-accelerator/admin-style.css?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Seraphinite Accelerator