Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions

June 13, 2025 invoker category_cve

CVE Details

Basic Information

Title Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions
Type cve
Published 2025-06-14T01:43:25.206Z
Last Seen

Product Information

Vendor seraphinitesoft
Product Seraphinite Accelerator
Version *

CVSS Information

Base Score 4.3 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Confidentiality Impact
Integrity Impact
Availability Impact

AI Analysis

AI Description The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.27.21. This allows attackers to perform administrative actions, such as deleting the cache, by tricking an administrator into clicking a malicious link.
AI Severity Medium
Vendor Seraphinite Solutions
Product Seraphinite Accelerator
Affected Version <= 2.27.21

Affected Products

  • seraphinitesoft Seraphinite Accelerator *

Additional Information

CVE List
CWE List CWE-352
Bulletin Family

Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the ‘OnAdminApi_CacheOpBegin’ function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.