What the vulnerability does
01Description
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
Explanation of Vulnerability in Simple Terms
02Summary
Seraphinite Accelerator versions up to 2.28.14 expose sensitive information to authenticated users. An attacker with low-level site access can read data they should not have permission to view. The vulnerability requires valid login credentials and affects confidentiality only; no data modification or service disruption is possible.
What an attacker can do
03Attacker Capabilities
Read sensitive information they should not have access to.
Potential impact on your site
04Site Impact
Authenticated users can view confidential data; update the plugin immediately.
Conditions required to exploit
05Prerequisites
Valid login account with low-level site privileges.
Key dates
06Disclosure timeline
March 4, 2026
CVE published
April 8, 2026
Record updated