What the vulnerability does
01Description
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Seraphinite Accelerator versions up to 2.27.21 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site administrators. An attacker can craft a malicious link or page that, when visited by an admin, executes unwanted changes to the site's configuration or settings. The vulnerability requires no special privileges but does require the victim to click a link or visit a page controlled by the attacker.
What an attacker can do
03Attacker Capabilities
Trick an admin into performing unwanted actions on the site, such as changing settings or configuration.
Potential impact on your site
04Site Impact
Site admins could unknowingly authorize changes to Seraphinite Accelerator settings, potentially degrading site performance or security.
Conditions required to exploit
05Prerequisites
An administrator must visit a malicious link or page crafted by the attacker.
Key dates
06Disclosure timeline
June 14, 2025
CVE published
April 8, 2026
Record updated