CVE-2025-6059 MEDIUM

CVE-2025-6059: Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions

Vendor Seraphinitesoft
Product Seraphinite Accelerator
Weakness CWE-352 · CSRF
Published June 14, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Seraphinite Accelerator versions up to 2.27.21 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site administrators. An attacker can craft a malicious link or page that, when visited by an admin, executes unwanted changes to the site's configuration or settings. The vulnerability requires no special privileges but does require the victim to click a link or visit a page controlled by the attacker.

What an attacker can do

03Attacker Capabilities

Trick an admin into performing unwanted actions on the site, such as changing settings or configuration.

Potential impact on your site

04Site Impact

Site admins could unknowingly authorize changes to Seraphinite Accelerator settings, potentially degrading site performance or security.

Conditions required to exploit

05Prerequisites

An administrator must visit a malicious link or page crafted by the attacker.

Key dates

06Disclosure timeline

June 14, 2025 CVE published
April 8, 2026 Record updated