CVE-2026-3058
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2Description
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
Analysis
The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to validate user permissions on the `seraph_accel_api` AJAX endpoint, allowing authenticated subscribers and above to access sensitive operational data including cache status and database state. An attacker with a basic WordPress account can exploit the missing capability checks in the `OnAdminApi_GetData()` function to enumerate system information without administrative rights. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Sensitive Information Exposur and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today