Seraphinite Accelerator < 2.28.15 – Missing Authorization to Authenticated (Subscriber+) Log Clearing | CVE 2026-3056 | Plugin Vulnerabilities

Description

The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.

Affects Plugins

seraphinite-accelerator

Fixed in 2.28.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/96850eb6-77d8-4012-b360-a417918cab0e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

e6031cc7-a71c-4ca1-b7f5-e4cf9fec7b63

Timeline

Publicly Published

2026-03-03 (about 3 months ago)

Added

2026-03-03 (about 3 months ago)

Last Updated

2026-03-04 (about 3 months ago)

Other

Published

Title

Published

2024-02-07

Title

ImageRecycle pdf & image compression < 3.1.14 - Missing Authorization to Settings Update in disableOptimization

Published

2022-05-02

Title

Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS

Published

2025-09-22

Title

Coupon Affiliates < 6.8.1 - Missing Authorization

Published

2025-04-16

Title

Live Forms < 4.8.5 - Missing Authorization

Published

2024-04-01

Title

Sharkdropship for AliExpress Dropshipping and Affiliate < 2.2.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion