Security Alert Summary
The Seraphinite Accelerator plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2026-3058). An authenticated user with Subscriber-level access or higher can call the plugin’s AJAX API action to retrieve operational data because an internal handler does not perform capability checks. Exposed data can include cache status, scheduled task information, and the state of an external database.
CVE Details
- CVE ID: CVE-2026-3058
- Affected component: Seraphinite Accelerator plugin for WordPress
- Affected versions: All versions up to, and including, 2.28.14
- Published: March 4, 2026 at 12:16 PM (UTC)
- Last modified: March 4, 2026 at 12:16 PM (UTC)
- CVSS v3.1: Base Score 4.3 (MEDIUM) — Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Authentication / Privileges / User Interaction: Privileges Required: Low (authenticated user such as Subscriber-level or higher). User Interaction: None.
- Primary impact: Confidentiality: Low; Integrity: None; Availability: None.
- CWE / Weakness ID: CWE-200 (Information Exposure)
- Fixed version: Not specified in the CVE entry.
Technical Details
The vulnerability is a Sensitive Information Exposure via the plugin’s AJAX interface. Specifically, the AJAX action seraph_accel_api when called with fn=GetData triggers the function OnAdminApi_GetData(), which does not perform any capability checks. Because the handler does not verify the caller’s capabilities, authenticated users with low privileges (Subscriber-level and above, per the report) can invoke this action and retrieve operational data provided by the function.
The sensitive information indicated in the report includes cache status, scheduled task information, and external database state. The issue exists because the plugin’s admin API endpoint relies on an internal function that omits required authorization checks, allowing the data to be returned to callers who should not have access.
How This Could Impact Your Website
In a realistic site scenario, a site owner manages a WordPress site with several internal staff editors and external contributors. If a contributor with Subscriber-level access (or an account with similarly low privileges) is able to trigger the vulnerable AJAX action, they could obtain operational details such as cache status, scheduled task listings, or the state of an external database. That information can make targeted phishing or social engineering more effective against staff or contractors by revealing operational patterns or backend dependencies.
While the vulnerability does not directly allow modification of content or denial of service according to the CVSS impacts, the exposure of operational details can increase risk and provide useful reconnaissance to an attacker. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Monitor the plugin’s official sources for a patched release and update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities; limit Subscriber and low-privilege accounts where possible.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual API calls or unexpected administrative API access patterns.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/seraphinite-accelerator/trunk/Cmn/Plugin.php#L598
- https://plugins.trac.wordpress.org/browser/seraphinite-accelerator/trunk/main.php#L2288
- https://plugins.trac.wordpress.org/changeset/3468084/seraphinite-accelerator/trunk/main.php?contextall=1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bf539c01-596a-44dd-9587-6be6978ab0fa?source=cve
