Cross-Site Request Forgery Vulnerability in Seraphinite Accelerator Plugin for WordPress
CVE-2025-6059

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Seraphinite Accelerator
Vendor
CVE Published:
14 June 2025

What is CVE-2025-6059?

The Seraphinite Accelerator plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to missing or improper nonce validation in the 'OnAdminApi_CacheOpBegin' function. This flaw allows unauthenticated attackers to execute various administrative actions, such as clearing the cache, if they successfully convince a site administrator to interact with a malicious link or request.

Affected Version(s)

Seraphinite Accelerator * <= 2.27.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/seraphinite-ac...
https://plugins.trac.wordpress.org/changeset/3284098/

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nabil Irawan
.
CVE-2025-6059 : Cross-Site Request Forgery Vulnerability in Seraphinite Accelerator Plugin for WordPress