A security advisory has been issued for two vulnerabilities affecting the Seraphinite Accelerator WordPress plugin, which is installed in over 60,000 websites. The vulnerability allows authenticated attackers to retrieve internal operational data from a website and make unauthorized changes. The plugin does not verify if a user has permission to access a specific API function and exposes an AJAX endpoint named seraph_acceler_api. The developers fixed the vulnerability in version 2.28.15 and removed the exposed API access and prevented subscriber-level users from retrieving the operational data. The second advisory warns of modifications that attackers could make on a website. The affected part of the plugin is an “Admin API” controller/dispatcher (because methods are named OnAdminApi_*) and likely another endpoint/function: LogClear.