WP-Safety
CVE-2026-3056

Seraphinite Accelerator <= 2.28.14 - Missing Authorization to Authenticated (Subscriber+) Log Clearing

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.28.15
Patched in
1d
Time to patch

Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.28.14
PublishedMarch 3, 2026
Last updatedMarch 4, 2026
Affected pluginseraphinite-accelerator

What Changed in the Fix

Changes introduced in v2.28.15

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.28.14
Browse source Download .zip
Patched v2.28.15
Browse source Download .zip
Research Plan
Unverified

This research plan focuses on exploiting CVE-2026-3056, a missing authorization vulnerability in the Seraphinite Accelerator plugin that allows Subscriber-level users to clear the plugin's debug and operational logs. ### 1. Vulnerability Summary The Seraphinite Accelerator plugin registers an AJAX …

Show full research plan

This research plan focuses on exploiting CVE-2026-3056, a missing authorization vulnerability in the Seraphinite Accelerator plugin that allows Subscriber-level users to clear the plugin's debug and operational logs.

1. Vulnerability Summary

The Seraphinite Accelerator plugin registers an AJAX action seraph_accel_api intended for administrative tasks. While it implements nonce verification to prevent CSRF, it fails to perform a capability check (e.g., current_user_can('manage_options')) within the handler when the fn parameter is set to LogClear. Consequently, any authenticated user with access to the WordPress admin dashboard (including Subscribers) can trigger this action.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: seraph_accel_api
  • Parameters:
    • action: seraph_accel_api (Required)
    • fn: LogClear (The specific function to execute)
    • _wpnonce: A valid WordPress nonce for the API (Required)
  • Authentication: Authenticated (Subscriber-level or higher)
  • Preconditions: The plugin must be active. Logs should ideally contain data to demonstrate "clearing."

3. Code Flow

  1. Entry Point: The request hits admin-ajax.php with action=seraph_accel_api.
  2. Hook Registration: The plugin registers add_action('wp_ajax_seraph_accel_api', ...) (Inferred from standard WordPress AJAX patterns and the CVE description).
  3. Handler Execution: The handler function (likely within the seraph_accel\Plugin or a dedicated controller class) is called.
  4. Nonce Check: The code likely calls check_ajax_referer('seraph_accel_api', '_wpnonce') or wp_verify_nonce.
  5. Missing Check: The code proceeds to process $_REQUEST['fn'] without calling current_user_can().
  6. Function Dispatch: When fn == 'LogClear', the plugin executes the log clearing logic, which typically involves deleting or truncating the log file or clearing a database option.
  7. Sink: The filesystem (via @unlink or file_put_contents) or the database (via delete_option).

4. Nonce Acquisition Strategy

The plugin enqueues its administrative scripts and nonces via the admin_notices hook in main.php.

  • Hook: _OnAdminNotices calls Plugin::_admin_printscriptsstyles().
  • Location: This runs on all /wp-admin/ pages, including the Dashboard and Profile pages accessible to Subscribers.
  • JS Variable: The plugin typically localizes its data into a global JavaScript object. Based on the naming conventions in main.php, the variable is likely seraph_accel_admin or seraph_accel.

Acquisition Steps:

  1. Log in as a Subscriber user.
  2. Navigate to /wp-admin/profile.php.
  3. Execute browser_eval to extract the nonce:
    browser_eval("window.seraph_accel_admin?.nonce || window.seraph_accel?.nonce")
    Note: If the key isn't 'nonce', inspect the object keys for anything resembling a 10-character alphanumeric string.

5. Exploitation Strategy

  1. Authentication: Authenticate the automated agent as a Subscriber.
  2. Nonce Retrieval: Use the strategy in Section 4 to obtain the nonce.
  3. Exploit Request: Send a POST request to admin-ajax.php.
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=seraph_accel_api&fn=LogClear&_wpnonce=[EXTRACTED_NONCE]
  4. Verification: Check the response. A successful response from this plugin's API usually returns a JSON object or a success code (like 0 for S_OK as defined in Cmn/Gen.php).

6. Test Data Setup

  1. Plugin Configuration: Ensure Seraphinite Accelerator is active.
  2. Generate Logs:
    • Navigate through various site pages to trigger operational logging.
    • If a "Debug Mode" exists in the plugin settings, enable it via WP-CLI:
      wp option update seraph_accel_sett '{"cache":{"enable":true,"debug":true}}' --format=json (Structure inferred).
  3. Verify Log Existence:
    • Check for log files in wp-content/uploads/seraph_accel/ or wp-content/seraph_accel/.
    • Check for log data in the database: wp option get seraph_accel_log.
  4. Create Attacker User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password

7. Expected Results

  • Response: The HTTP response should indicate success (HTTP 200 and potentially a JSON body indicating a success code 0).
  • Action: The log file on the filesystem should be empty or deleted, or the corresponding database option should be cleared.

8. Verification Steps

  1. Filesystem Check:
    • Run ls -l wp-content/uploads/seraph_accel/ before and after the exploit to see if the log file size changes to 0 or is deleted.
  2. Database Check:
    • Run wp option get seraph_accel_log (or similar) to confirm the log data is gone.
  3. UI Verification:
    • Login as Admin and visit the plugin's "Logs" or "Manage" page to see if the log viewer is empty.

9. Alternative Approaches

  • Parameter Variation: If _wpnonce is not the correct parameter name, try nonce.
  • Action Variation: If seraph_accel_api does not work, check main.php for other registered AJAX actions that might handle sub-functions via fn.
  • GET vs POST: While AJAX is typically POST, some WordPress handlers incorrectly process GET requests. If POST fails, try the same parameters via GET.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Seraphinite Accelerator plugin for WordPress (versions <= 2.28.14) fails to perform authorization checks on certain AJAX functions. This allows authenticated users with Subscriber-level access to clear the plugin's operational and debug logs by invoking the 'LogClear' function through the 'seraph_accel_api' AJAX action.

Vulnerable Code

// main.php line 2307
function OnAdminApi_GetData( $args )
{

	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;

	$res = array();
	// ... (truncated)

---

// main.php line 2478
function OnAdminApi_LogClear( $args )
{
	Gen::LogClear( GetCacheDir() . LogGetRelativeFile(), true );
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.14/main.php /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.15/main.php
--- /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.14/main.php	2026-02-20 20:44:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/seraphinite-accelerator/2.28.15/main.php	2026-02-23 23:03:08.000000000 +0000
@@ -2307,10 +2307,12 @@
 
 function OnAdminApi_GetData( $args )
 {
+	$res = array();
 
-	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;
+	if( !current_user_can( 'manage_options' ) )
+		return( $res );
 
-	$res = array();
+	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;
 
 	if( $siteId )
 	{
@@ -2478,6 +2480,9 @@
 
 function OnAdminApi_LogClear( $args )
 {
+	if( !current_user_can( 'manage_options' ) )
+		return;
+
 	Gen::LogClear( GetCacheDir() . LogGetRelativeFile(), true );
 }

Exploit Outline

The exploit involves an authenticated attacker with Subscriber-level privileges obtaining a valid nonce and sending a forged AJAX request. 1. Log into the WordPress site as a Subscriber. 2. Access any admin dashboard page (e.g., /wp-admin/profile.php) where the plugin's admin scripts are localized. 3. Extract the AJAX nonce from the global JavaScript object (typically `seraph_accel_admin.nonce`). 4. Send a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - `action`: `seraph_accel_api` - `fn`: `LogClear` - `_wpnonce`: [The extracted nonce] 5. Since the `OnAdminApi_LogClear` function lacks a `current_user_can()` check, the plugin will truncate the log files located in the cache directory.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/96850eb6-77d8-4012-b360-a417918cab0e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database