CVE-2026-3058

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3058

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

T

he Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.

References
Link Resource
https://plugins.trac.wordpress.org/browser/seraphinite-accelerator/trunk/Cmn/Plugin.php#L598
https://plugins.trac.wordpress.org/browser/seraphinite-accelerator/trunk/main.php#L2288
https://plugins.trac.wordpress.org/changeset/3468084/seraphinite-accelerator/trunk/main.php?contextall=1
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf539c01-596a-44dd-9587-6be6978ab0fa?source=cve
Configurations

No configuration.

History

04 Mar 2026, 18:08

Type Values Removed Values Added
Summary
  • (es) El plugin Seraphinite Accelerator para WordPress es vulnerable a la exposición de información sensible en todas las versiones hasta la 2.28.14, inclusive, a través de la acción AJAX 'seraph_accel_api' con 'fn=GetData'. Esto se debe a que la función 'OnAdminApi_GetData()' no realiza ninguna comprobación de capacidad. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, recuperar datos operativos sensibles, incluyendo el estado de la caché, información de tareas programadas y el estado de la base de datos externa.

04 Mar 2026, 12:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-04 12:16

Updated : 2026-03-04 18:08

NVD link : CVE-2026-3058

Mitre link : CVE-2026-3058

CVE.ORG link : CVE-2026-3058

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor