Description
The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Breeze Cache plugin for WordPress versions up to 2.5.2 contains a flaw where the plugin blindly parses the username portion of the wordpress_logged_in_ cookie without validating the cryptographic signature provided by WordPress. An unauthenticated attacker can forge a cookie such as wordpress_logged_in_fake=admin|fake, causing the plugin to locate and serve the cached HTML file that was generated for a privileged user. This results in the disclosure of information normally restricted to administrators, including private posts, the admin bar, nonces, and other protected data.

Affected Systems

The affected product is the Breeze Cache plugin distributed by Cloudways, specifically every release up to and including version 2.5.2 used on WordPress installations. No other vendors are listed, and no version information beyond the <=2.5.2 bound is provided.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Because the vulnerability does not require authentication, an attacker who can set the cookie on the target site can execute the exploit by transmitting a crafted cookie in an HTTP request, causing the plugin to serve cached content for an administrator. The lack of a signature check is the key weakness identified as CWE‑200.

Generated by OpenCVE AI on May 29, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Breeze Cache plugin to version 2.5.3 or later, which restores proper cookie verification.
  • If an upgrade cannot be applied immediately, temporarily disable the Cache Logged-in Users setting in the plugin’s configuration to prevent the flaw from being exercised.
  • As an interim containment measure, purge or delete all cached files that contain privileged content and monitor for any attempts to access cached pages that contain admin information.

Generated by OpenCVE AI on May 29, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
Title Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:07:26.626Z

Reserved: 2026-02-06T19:47:59.101Z

Link: CVE-2026-2128

cve-icon Vulnrichment

Updated: 2026-05-29T10:07:20.914Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T05:16:19.267

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-2128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T07:00:12Z

Weaknesses