Wordfence has disclosed two security vulnerabilities in the Seraphinite Accelerator WordPress plugin, which runs on more than 60,000 sites. The issues affect all plugin versions through 2.28.14 and are fixed in version 2.28.15. The flaws can be exploited by logged-in users with Subscriber-level access or higher on affected WordPress installations.
Key details: Seraphinite Accelerator WordPress plugin vulnerabilities
Wordfence reports that the Seraphinite Accelerator plugin exposes two authenticated vulnerabilities through an AJAX endpoint named seraph_accel_api, which processes internal Admin API calls. The endpoint accepts specific function parameters without properly confirming user permissions.
- Affected software: Seraphinite Accelerator WordPress plugin
- Active installations: more than 60,000 WordPress websites
- Affected versions: all releases up to and including 2.28.14
- Patched version: 2.28.15, which adds permission checks for the affected API functions
- Vulnerability 1: Sensitive information exposure via seraph_accel_api with fn=GetData, handled by OnAdminApi_GetData() without capability checks
- Vulnerability 2: Missing authorization via seraph_accel_api with fn=LogClear, allowing unauthorized clearing of debug and operational logs
- Required user level: any authenticated user with the Subscriber role or higher on the affected WordPress site
- Accessible data: cache status details, scheduled task information, and external database state returned by the GetData function
According to Wordfence, the GetData function can reveal operational information about caching, scheduled tasks, and external database connections. The LogClear function can be triggered by subscriber-level users to erase the plugin's debug and operational logs.
The plugin developers addressed these issues in version 2.28.15 by limiting access to both functions with explicit capability checks. Site owners using Seraphinite Accelerator are advised to update to version 2.28.15 or later.
Background context on Seraphinite Accelerator and WordPress permissions
Seraphinite Accelerator is a performance plugin designed to speed up WordPress sites through page caching. It creates static copies of pages so servers do not regenerate them for each visit. The plugin also supports GZip, Deflate, and Brotli compression and implements browser caching for returning visitors.
The vulnerabilities stem from missing capability checks within the plugin's Admin API dispatcher. WordPress plugins typically require the manage_options capability before exposing internal configuration or operational data to users. In this case, the relevant functions accepted requests from any authenticated user without verifying that capability.
The affected code handles incoming seraph_accel_api AJAX requests, reads the fn parameter, and routes calls to handler methods. For GetData, this mapping reached OnAdminApi_GetData(), which returned detailed runtime information. For LogClear, the same pathway reached a handler that cleared stored logs without confirming that the caller was an administrator.
Version 2.28.15 introduces capability checks around the GetData and LogClear API functions. The plugin changelog notes that these functions were previously callable by users without the manage_options privilege. The update restricts them to authorized administrators by validating that capability.
Source citations and official advisories
Wordfence documents both vulnerabilities in its public threat intelligence database. The first advisory covers exposure of sensitive operational data through the GetData function, while the second describes missing authorization checks that allow subscriber-level users to clear logs.
.svg)
.svg)
.svg)