CVE-2025-13864 - Vulnerability Details

- Breeze – WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion

Description

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.

Published: 2026-02-19

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Breeze – WordPress Cache Plugin contains a REST API endpoint `/wp-json/breeze/v1/clear-all-cache` that is registered with the permission callback `__return_true`. The API integration feature is enabled by default, which means the endpoint accepts requests without authentication. An attacker who can submit a simple POST request to this URL can clear all caches managed by the plugin – page cache, Varnish, and Cloudflare – regardless of user privileges. The vulnerability does not compromise confidentiality but can degrade site performance and user experience by causing caches to be rebuilt on every request.

Affected Systems

The flaw exists in Breeze Cache for WordPress versions up to and including 2.2.21, as used by Cloudways. Users should check whether their sites are running any version in this range and upgrade if possible.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate impact. The EPSS score of < 1% suggests that, while the vulnerability is technically exploitable, it is unlikely to be widely targeted or automated at present. The vulnerability is not listed in CISA's KEV catalog. Attackers would need network access to the target WordPress site and the capability to craft a POST request to the exposed REST endpoint. Because the permission callback always returns true and authentication is disabled when the API is enabled, no additional privileges are required to exploit the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cloudways

Breeze Cache

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.21

No data.

Vendor Product Confidence Versions

Cloudways

Breeze

84%

Version	Status	Scheme	Platform
`[0,2.2.21]`	affected	semver	—

Wordpress

90%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Breeze Cache to the latest version that corrects the permission check on the cache‑clear endpoint.
If an upgrade cannot be performed immediately, disable the API integration feature in the Breeze settings to prevent unauthenticated access to the REST endpoint.
Ensure that the /wp-json/breeze/v1/clear-all-cache endpoint requires authentication or remove it entirely to eliminate the missing authorization weakness.

Generated by OpenCVE AI on April 21, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00219.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.php#L749
https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L19
https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L22
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425199%40breeze&new=3425199%40breeze&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054?source=cve

History

Thu, 19 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cloudways Cloudways breeze Wordpress Wordpress wordpress
Vendors & Products		Cloudways Cloudways breeze Wordpress Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
Title		Breeze – WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.php#L749 https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L19 https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425199%40breeze&new=3425199%40breeze&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Cloudways Breeze

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T04:36:12.578Z

Updated: 2026-04-08T16:54:59.642Z

Reserved: 2025-12-01T21:30:14.873Z

Link: CVE-2025-13864

Vulnrichment

Updated: 2026-02-19T17:22:56.896Z

NVD

Status : Deferred

Published: 2026-02-19T07:17:33.610

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13864

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object