A security advisory was issued for two vulnerabilities affecting the Seraphinite Accelerator WordPress plugin that’s installed in over 60,000 websites. The vulnerabilities can be exploited by any logged-in user with a minimum subscriber-level access.
The Seraphinite Accelerator WordPress plugin flaw allows authenticated attackers to retrieve internal operational data from a website and also make unauthorized changes. The issue affects all versions of the plugin up to and including 2.28.14. The developers fixed the vulnerability in version 2.28.15.
What The Plugin Does
Seraphinite Accelerator is a performance plugin used to speed up WordPress sites. The main function is creating cached versions of pages so the server does not need to generate them every time someone visits the site. The plugin also supports multiple compression formats including GZip, Deflate, and Brotli, enables browser caching and separates cached data for different devices and environments in order to reduce server load.
Who Can Exploit The Vulnerability
The vulnerability requires authentication to exploit the flaw, but only at the low subscriber level, which is commonly assigned to users who register on a site. This means attackers do not need administrator access. A basic user account is enough to trigger the vulnerable function.
What The Security Failure Is
The vulnerability exists because the plugin does not verify whether a user has permission to access a specific API function. The plugin exposes an AJAX endpoint named seraph_accel_api. One of the functions that can be called through that endpoint is GetData, which is handled internally by the OnAdminApi_GetData() function.
According to the advisory:
“The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks.
This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.”
In a second advisory for a similar vulnerability Wordfence warns of modifications that attackers could make on a website:
“The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin’s debug/operational logs.”
In WordPress, capability checks are used to confirm that a user has permission to perform an administrative action. Plugins typically require the manage_options capability for functions that expose internal system data.
Because this check was missing, the plugin allowed any logged-in user to call the API function and retrieve information that should only be available to administrators.
The affected part of the plugin is:
- an “Admin API” controller/dispatcher (because methods are named OnAdminApi_*)
- the specific endpoint/function: GetData
- and likely another endpoint/function: LogClear (from changelog)
The affected “script area” is the parts that:
- receives the request
- reads fn
- calls OnAdminApi_GetData() (and similarly OnAdminApi_LogClear() or equivalent)
The core issue then is broken authorization because the admin-only OnAdminApi_GetData() function does not perform capability checks.
What Attackers Can Access
The vulnerable function returns operational information about the plugin and the site environment.
Attackers can retrieve:
- Cache status information
- Scheduled task information
- External database state
This information reveals how the plugin is operating on the server and how certain processes are scheduled. While this does not directly give attackers control of the website, it exposes internal system details that are normally restricted to administrators.
How The Vulnerability Was Fixed
The developers patched the flaw in version 2.28.15 by restricting access to the affected API functions.
The plugin changelog explains that the LogClear and GetData API functions could be called by users who did not have the manage_options privilege. The fix restores the required capability check so that only authorized administrators can access those functions.
What Site Owners Should Do
Site owners using the Seraphinite Accelerator plugin should update to version 2.28.15 or newer. Updating removes the exposed API access and prevents subscriber-level users from retrieving the operational data.
Featured Image by Shutterstock/Max Acronym
