CVE-2026-3058 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the Seraphinite Accelerator plugin for WordPress, affecting all versions up to and including 2.28.14. The vulnerability arises because the `OnAdminApi_GetData()` function, which handles the AJAX action `seraph_accel_api` with the parameter `fn=GetData`, does not perform any capability or permission checks. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this API endpoint and retrieve sensitive operational data that should be restricted. The exposed data includes cache status, scheduled task information, and the state of external databases connected to the plugin. Since Subscriber-level access is relatively low privilege in WordPress, this vulnerability significantly lowers the barrier for attackers to gather internal system information that could facilitate further attacks. The vulnerability is remotely exploitable over the network without user interaction, increasing its risk profile. The CVSS v3.1 score is 4.3 (medium), reflecting the limited scope of confidentiality impact without integrity or availability compromise. No patches or exploit code are currently publicly available, but the absence of capability checks is a fundamental security oversight that should be addressed promptly.

The primary impact of CVE-2026-3058 is the unauthorized disclosure of sensitive operational information within WordPress environments using the Seraphinite Accelerator plugin. Exposure of cache status and scheduled task details can provide attackers with insights into system behavior and timing, which can be leveraged for timing attacks or to evade detection. Disclosure of external database state may reveal configuration details or data structures that facilitate further exploitation or data exfiltration. Although the vulnerability does not directly compromise data integrity or system availability, the confidentiality breach can aid attackers in reconnaissance and lateral movement within the affected environment. Organizations relying on this plugin may face increased risk of targeted attacks, especially if attackers combine this information with other vulnerabilities or social engineering. The medium severity rating indicates moderate risk, but the ease of exploitation by low-privilege users makes it a notable concern for WordPress sites with multiple user roles.

To mitigate CVE-2026-3058, organizations should immediately update the Seraphinite Accelerator plugin to a version that includes proper capability checks in the `OnAdminApi_GetData()` function once available. Until a patch is released, administrators should restrict access to the plugin’s AJAX endpoints by implementing additional access controls, such as limiting AJAX requests to trusted roles only or disabling the plugin if not essential. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX calls to `seraph_accel_api` with `fn=GetData` can reduce exposure. Regularly auditing user roles and minimizing the number of users with Subscriber-level or higher access reduces the attack surface. Monitoring logs for unusual API requests and anomalous data access patterns can help detect exploitation attempts. Finally, educating site administrators about the risks of granting unnecessary privileges and maintaining up-to-date backups will aid in recovery if exploitation occurs.