Seraphinite Accelerator < 2.20.32 – Unauthorised Settings Reset/Import | CVE 2023-5611

Description

The plugin does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them

The issue was partially fixed in 2.20.29 (only adding authorisation checks). CSRF checks were added in 2.20.32

Proof of Concept

As an unauthenticated user, open https://example.com/wp-admin/admin-post.php?seraph_accel_settingsOp=reset

Affects Plugins

seraphinite-accelerator

Fixed in 2.20.32

References

CVE

CVE-2023-5611

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

8cb8a5e9-2ab6-4d9b-9ffc-ef530e346f8d

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2023-12-26

Title

Easy Digital Downloads < 3.2.0 - Missing Authorization

Published

2025-10-31

Title

Document Library Lite < 1.1.7 - Sensitive Information Exposure

Published

2023-12-25

Title

Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update

Published

2024-10-21

Title

WP VR < 8.5.6 - Missing Authorization

Published

2025-07-04

Title

WooCommerce Shop Page Builder <= 2.27.7 - Missing Authorization