CVE-2026-3058 MEDIUM

CVE-2026-3058: Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor

Vendor Seraphinitesoft
Product Seraphinite Accelerator
Weakness CWE-200 · Info exposure
Published March 4, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.

Explanation of Vulnerability in Simple Terms

02Summary

Seraphinite Accelerator versions up to 2.28.14 expose sensitive information to authenticated users. An attacker with low-level site access can read data they should not have permission to view. The vulnerability requires valid login credentials and affects confidentiality only; no data modification or service disruption is possible.

What an attacker can do

03Attacker Capabilities

Read sensitive information they should not have access to.

Potential impact on your site

04Site Impact

Authenticated users can view confidential data; update the plugin immediately.

Conditions required to exploit

05Prerequisites

Valid login account with low-level site privileges.

Key dates

06Disclosure timeline

March 4, 2026 CVE published
April 8, 2026 Record updated