The vulnerability is a missing authorization flaw in the Breeze plugin for WordPress, which allows an unauthenticated or low‑privileged user to perform actions that should be limited to authorized administrators. The flaw is due to incorrectly configured access control security levels, enabling potential exploitation of administrative functions such as configuring settings, viewing site information, or creating new content. The potential impact includes unauthorized data disclosure, modification, or creation within the affected WordPress site.

The issue affects the Breeze plugin from early releases up through version 2.2.21, released by Cloudways. Any WordPress installation running Breeze 2.2.21 or earlier is at risk, regardless of the WordPress core version.

The CVSS score of 5.3 classifies the flaw as moderate severity, and the EPSS value of less than 1% indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Because the flaw relies on incorrect access control in a publicly exposed plugin, the attack vector is likely through the web interface of the WordPress site without additional privilege. An attacker can exploit the flaw by sending crafted requests to Breeze‑controlled endpoints while authenticated as a regular user or, in some configurations, even as an unauthenticated visitor if the plugin is misconfigured to expose certain endpoints.