Volerion logoVolerion
Volerion logoVolerion

Seraphinite Accelerator WordPress Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Seraphinite Accelerator plugin for WordPress, affecting all versions through 2.27.21. The vulnerability arises from inadequate nonce validation in the 'OnAdminApi_CacheOpBegin' function, allowing unauthenticated attackers to impersonate site administrators and execute various administrative tasks, such as cache deletion, by tricking them into clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions being performed on behalf of a site administrator, including cache deletion.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'OnAdminApi_CacheOpBegin' endpoint, including a nonce that has not been properly validated. This can be done by tricking an administrator into clicking a link that triggers the request, such as through a phishing email or a malicious website.

Remediation

Users are advised to update the Seraphinite Accelerator plugin to version 2.27.22 or later.

Added: Jun 14, 2025, 3:18 AM
Updated: Jun 14, 2025, 3:18 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
5.0
exploitability
7.6
remediation
7.7
relevance
0.2
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.