CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.
Explanation of Vulnerability in Simple Terms
Seraphinite Accelerator versions 2.28.14 and earlier lack proper authorization checks, allowing authenticated users to modify site data they should not have access to. An attacker with a low-privilege account can change settings or content without the appropriate permissions. The vulnerability affects the integrity of site configuration and content but does not expose sensitive data or cause service disruption.
What an attacker can do
Modify site settings or content without proper authorization as a low-privilege user.
Potential impact on your site
Unauthorized changes to site configuration or content by low-privilege users; data integrity risk.
Conditions required to exploit
Attacker must have a valid low-privilege account on the site; no user interaction required.
Key dates
External resources
Related vulnerabilities
