WP-Safety
CVE-2026-3058

Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.28.15
Patched in
1d
Time to patch

Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.28.14
PublishedMarch 3, 2026
Last updatedMarch 4, 2026
Affected pluginseraphinite-accelerator

What Changed in the Fix

Changes introduced in v2.28.15

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.28.14
Browse source Download .zip
Patched v2.28.15
Browse source Download .zip
Research Plan
Unverified

This research plan targets a sensitive information exposure vulnerability in the **Seraphinite Accelerator** plugin (<= 2.28.14). The vulnerability exists because the `GetData` function of the plugin's administrative API lacks capability checks, allowing any authenticated user (including Subscribers…

Show full research plan

This research plan targets a sensitive information exposure vulnerability in the Seraphinite Accelerator plugin (<= 2.28.14). The vulnerability exists because the GetData function of the plugin's administrative API lacks capability checks, allowing any authenticated user (including Subscribers) to retrieve internal operational data.

1. Vulnerability Summary

  • ID: CVE-2026-3058
  • Vulnerability: Sensitive Information Exposure
  • Vulnerable Action: seraph_accel_api (AJAX action)
  • Vulnerable Parameter: fn=GetData
  • Vulnerable Function: OnAdminApi_GetData() (inferred callback within the API dispatcher)
  • Cause: The API handler verifies a WordPress nonce but fails to check if the current user has administrative privileges (e.g., current_user_can('manage_options')) before returning data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Authentication: Required (Subscriber level or higher)
  • Preconditions: The attacker must obtain a valid WordPress nonce for the seraph_accel_api action.
  • HTTP Method: GET or POST
  • Parameters:
    • action: seraph_accel_api
    • fn: GetData
    • _wpnonce: A valid nonce for the seraph_accel_api action.

3. Code Flow

  1. The plugin registers an AJAX action seraph_accel_api (likely via add_action('wp_ajax_seraph_accel_api', ...) in main.php or oper.php).
  2. Requests are dispatched to a handler that routes calls based on the fn parameter.
  3. When fn=GetData is requested, the dispatcher calls OnAdminApi_GetData().
  4. OnAdminApi_GetData() (found in the plugin's administrative logic) retrieves operational state using functions like CacheGetInfo() (from oper.php) or by reading options via PluginOptions::Get() (from Cmn/Plugin.php).
  5. Because no capability check is performed, the response containing cache status, scheduled tasks, and database information is returned to the requester regardless of their role.

4. Nonce Acquisition Strategy

The plugin uses Plugin::GetAdminApiUri() (defined in Cmn/Plugin.php) to generate API URLs, which includes a nonce for the seraph_accel_api action.

Strategy:

  1. Create a Subscriber user and log in.
  2. Navigate to the WordPress Dashboard (/wp-admin/index.php).
  3. The plugin often prints administrative notices via _OnAdminNotices() (in main.php). These notices contain AJAX calls using nonces.
  4. Check for the presence of a global JavaScript object or an inline script containing the nonce.
  5. Execution:
    • Use browser_eval to search for the nonce in the page source or global variables.
    • Look specifically for strings matching _wpnonce= within onclick attributes or script tags, as seen in main.php's _OnAdminNotices call to Plugin::GetAdminApiUri.
    • Search specifically for the JavaScript variable or localization key associated with the plugin (often seraph_accel).

5. Exploitation Strategy

  1. Preparation:
    • Identify a Subscriber user session.
    • Extract the seraph_accel_api nonce using the strategy in Section 4.
  2. Request:
    • Send a GET request to admin-ajax.php with the following parameters:
      • action=seraph_accel_api
      • fn=GetData
      • _wpnonce=[EXTRACTED_NONCE]
  3. Payload Formulation:
    GET /wp-admin/admin-ajax.php?action=seraph_accel_api&fn=GetData&_wpnonce=[NONCE] HTTP/1.1
Cookie: wordpress_logged_in_[HASH]...
  4. Refinement: If the response is empty, the function might require a siteId parameter. Try siteId=m (standard identifier for the main site in this plugin).

6. Test Data Setup

  1. Install Plugin: Ensure Seraphinite Accelerator <= 2.28.14 is active.
  2. Enable Cache: Go to the plugin settings and enable caching so there is operational data to "Get".
  3. Create User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  4. Simulate State: To ensure nonces appear in notices, you can trigger a "settings changed" state:
    • wp option update seraph_accel_state '{"settChangedUpdateCache":true}' (Note: This is an example, the plugin might use a different key in the seraph_accel_state JSON).

7. Expected Results

A successful exploit will return a JSON object containing sensitive system information. Look for keys such as:

  • nObj, size, sizeCacheObj (Cache metrics from CacheGetInfo)
  • tasks or queue (Scheduled task info)
  • db or remote (Database status)
  • v (Version information)

8. Verification Steps

  1. Analyze Response: Confirm the HTTP status is 200 OK and the body is a JSON object.
  2. Verify Content: Check if the JSON contains data that should only be visible to admins (e.g., file paths in the cache directory, specific database table counts, or internal task names).
  3. Capability Confirmation: Verify that the requesting user (attacker) still has the subscriber role and lacks the manage_options capability:
    • wp user get attacker --field=roles (Should return subscriber).

9. Alternative Approaches

  • Diagnostic Endpoint: If GetData is restricted, try other functions that might be handled by the same dispatcher, such as GetState or GetLog, which might also lack capability checks.
  • Direct Option Reading: Since the plugin uses PluginOptions::Get(), check if fn=GetData allows an option parameter to read any seraph_accel_* option from the database.
  • Admin Notices: If the nonce is not in a notice, check the script localization: browser_eval("window.seraph_accel_admin?.api_nonce") (inferred variable name based on plugin slug).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Seraphinite Accelerator plugin for WordPress lacks capability checks in its administrative AJAX handler when processing the 'GetData' function. This allows authenticated users with subscriber-level permissions to retrieve sensitive internal data, including cache metrics, database status, and scheduled task information.

Vulnerable Code

// main.php @ 2.28.14 around line 2307
function OnAdminApi_GetData( $args )
{

	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;

	$res = array();

	if( $siteId )
	{
---
// main.php @ 2.28.14 around line 2478
function OnAdminApi_LogClear( $args )
{
	Gen::LogClear( GetCacheDir() . LogGetRelativeFile(), true );
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.14/main.php	2026-02-20 20:44:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.15/main.php	2026-02-23 23:03:08.000000000 +0000
@@ -2307,10 +2307,12 @@
 
 function OnAdminApi_GetData( $args )
 {
+	$res = array();
 
-	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;
+	if( !current_user_can( 'manage_options' ) )
+		return( $res );
 
-	$res = array();
+	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;
 
 	if( $siteId )
 	{
@@ -2478,6 +2480,9 @@
 
 function OnAdminApi_LogClear( $args )
 {
+	if( !current_user_can( 'manage_options' ) )
+		return;
+
 	Gen::LogClear( GetCacheDir() . LogGetRelativeFile(), true );
 }

Exploit Outline

The exploit involves an authenticated attacker with Subscriber-level access or higher performing the following steps: 1. Log in to the WordPress site as a Subscriber. 2. Access the WordPress dashboard and extract a valid WordPress nonce for the 'seraph_accel_api' action. This nonce is typically exposed in the HTML source of admin pages or within JavaScript objects (like 'seraph_accel') used for the plugin's UI notices. 3. Send an AJAX request to /wp-admin/admin-ajax.php with the parameters 'action=seraph_accel_api', 'fn=GetData', and the extracted '_wpnonce'. 4. If the site is multi-site or requires a specific ID, the attacker can append 'siteId=m' or 'allSites=1' to the request. 5. The server will respond with a JSON object containing sensitive system details, such as cache paths, file sizes, database table counts, and internal task queues, which are normally restricted to administrators.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf539c01-596a-44dd-9587-6be6978ab0fa?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database