According to Roger Montti’s article on Search Engine Journal, “Seraphinite Accelerator WordPress Plugin Vulnerabilities Affect 60K Sites,” two security vulnerabilities have been identified in the Seraphinite Accelerator WordPress plugin, potentially impacting over 60,000 websites.
Vulnerability Overview
Montti notes that authenticated users with Subscriber-level access or higher can exploit both vulnerabilities, making them easy to trigger on sites with user registration. Versions up to 2.28.14 are affected; version 2.28.15 contains the patch.
Root Cause: Missing Capability Checks
The main issue is the lack of permission checks in the plugin’s internal API. The plugin exposes an AJAX endpoint (seraph_accel_api) that permits administrative functions without confirming user privileges.
As a result, low-privilege users can access functionality that should be restricted to administrators.
What Attackers Can Do
Montti explains that the vulnerabilities allow attackers to:
- Access sensitive operational data, including:
- Cache status
- Scheduled task information
- External database state
- Modify plugin data, such as:
- Clearing debug and operational logs.
Although these flaws do not allow full site takeover, they expose internal system details and permit unauthorized changes that could facilitate further attacks or conceal malicious activity.
Why It Matters
The exposed data provides insight into how the plugin and server operate, which could help attackers plan more advanced exploits. Additionally, the ability to clear logs could hinder the detection and investigation of suspicious behavior.
Patch and Recommendations
The vulnerabilities have been fixed in version 2.28.15, which added proper capability checks to restrict access to authorized users.
Montti recommends that site owners update immediately. Unpatched plugins allow basic user accounts to access sensitive data and perform unauthorized actions, underscoring the need for strict permission enforcement in WordPress plugins.