Vulnerabilities and security researches forseraphinite-accelerator seraphinite-accelerator

Jun 07, 2024

CVE, Research URL: CVE-2023-5610
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Nov 21, 2023
Research Description: The Seraphinite Accelerator WordPress plugin before 2.2.29 does not validate the URL to redirect any authenticated user to, leading to an arbitrary redirect
Affected versions: max 2.20.32.
Status: vulnerable

CVE, Research URL: CVE-2023-5609
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Nov 21, 2023
Research Description: The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: max 2.20.29.
Status: vulnerable

CVE, Research URL: CVE-2024-1568
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Feb 28, 2024
Research Description: The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 2.21.
Status: vulnerable

CVE, Research URL: CVE-2023-49740
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Dec 14, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seraphinite Solutions Seraphinite Accelerator allows Reflected XSS.This issue affects Seraphinite Accelerator: from n/a through 2.20.28.
Affected versions: max 2.20.29.
Status: vulnerable

CVE, Research URL: CVE-2023-5611
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Nov 27, 2023
Research Description: The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them
Affected versions: max 2.20.32.
Status: vulnerable

CVE, Research URL: CVE-2024-22138
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Mar 28, 2024
Research Description: Insertion of Sensitive Information into Log File vulnerability in Seraphinite Solutions Seraphinite Accelerator.This issue affects Seraphinite Accelerator: from n/a through 2.20.47.
Affected versions: max 2.20.48.
Status: vulnerable

Dec 23, 2024

CVE, Research URL: CVE-2024-54222
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Feb 20, 2026
Research Description: Missing Authorization vulnerability in Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator allows Retrieve Embedded Sensitive Data.This issue affects Seraphinite Accelerator: from n/a through <= 2.22.15.
Affected versions: max 2.22.16.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-3058
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Mar 04, 2026
Research Description: The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
Affected versions: max 2.28.15.
Status: vulnerable

CVE, Research URL: CVE-2026-3056
Home page URL: Security reports for Seraphinite Accelerator
Application: Seraphinite Accelerator
Date: Mar 04, 2026
Research Description: The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.
Affected versions: max 2.28.15.
Status: vulnerable