MEDIUM 5.3

CVE-2026-2128: Breeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)

The Breeze WordPress plugin through version 2.5.2 contains a flaw that allows attackers to view content meant only for administrators. When the "Cache Logged-in Users" feature is enabled, the plugin trusts cookie information without properly verifying it belongs to a real, authenticated user. An attacker can craft a fake cookie claiming to be an administrator, and the plugin will serve them the cached pages generated for that admin—exposing private posts, administrative controls, security tokens, and other sensitive data. No authentication or special privileges are required to attempt this attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-2128 is an information disclosure vulnerability in the Breeze cache plugin for WordPress. The vulnerable code in `inc/cache/execute-cache.php` parses the WordPress session cookie (`wordpress_logged_in_*`) to determine which cached content to serve when the "Cache Logged-in Users" option is active. The plugin extracts the username using `substr()` by splitting on the pipe character (`username|hash`) but does not cryptographically validate the cookie's signature or verify the session's validity against WordPress core authentication. This allows an attacker to supply a malformed cookie with an arbitrary username (e.g., `wordpress_logged_in_fake=admin|fake`) and receive cached HTML content—including the Admin Bar, nonces, and private post content—that was originally generated for that user. The attacker requires only network-level access and the ability to set cookies, both trivial constraints in a web context.

Business impact

Organizations using Breeze with cached content for logged-in users face a direct risk of data leakage. Private posts, draft content, and administrative interfaces could be exposed to unauthenticated visitors. This is particularly serious for sites that rely on WordPress role-based access control to keep sensitive content (e.g., internal announcements, financial data, or unreleased material) away from public view. The disclosure of WordPress nonces and other CSRF tokens in cached admin pages also increases the surface for secondary attacks. Given that the vulnerability affects all versions up to 2.5.2 and does not require a user action or special configuration beyond enabling a standard caching feature, the potential affected population is substantial.

Affected systems

The Breeze WordPress plugin is affected in all versions up to and including 2.5.2. The vulnerability is active only when the "Cache Logged-in Users" setting is enabled in the plugin configuration. Any WordPress installation running a vulnerable version of Breeze with this setting active is at risk. Organizations should verify their plugin version and configuration immediately.

Exploitability

Exploitability is straightforward and requires no special tools or insider access. An attacker can craft HTTP requests with custom cookies from any remote location and observe the responses for cached content leakage. No authentication, user interaction, or complex attack chains are necessary. The CVSS v3.1 score of 5.3 (Medium) reflects the low barrier to exploitation, the network-accessible attack vector, and the requirement for no privileges. However, the practical impact—access to sensitive information including admin content—suggests prioritization above a purely numerical reading.

Remediation

Upgrade the Breeze plugin to a patched version released after 2.5.2. Verify the patch version against the vendor's official advisory to confirm the cookie validation vulnerability is addressed. As an interim measure, disable the "Cache Logged-in Users" feature in the Breeze settings to prevent the plugin from serving user-specific cached content based on unvalidated cookies. This disables some performance benefits but eliminates the attack surface. Additionally, monitor access logs for requests with suspicious or malformed `wordpress_logged_in_*` cookies and consider implementing a Web Application Firewall (WAF) rule to validate cookie format and block obviously crafted values.

Patch guidance

Contact Breeze's support or check the official WordPress plugin repository for the latest version beyond 2.5.2. Apply the patch as soon as it is available. Before patching, test in a staging environment to ensure cache behavior and performance remain acceptable. After patching, verify that the plugin properly validates the WordPress session cookie against core before serving cached content. Clear all cached content after patching to ensure stale admin pages are not served.

Detection guidance

Monitor for patterns of cache hits returning admin-level content (Admin Bar, nonces, private posts) in response to requests with malformed, inconsistent, or fabricated `wordpress_logged_in_*` cookies. Search web server access logs for cookie values with suspicious formats (e.g., `fake`, `test`, or numeric IDs that do not match real WordPress users). Enable detailed logging in Breeze if available and correlate cache retrieval with user session validity. Look for requests that produce high-value content responses but originate from non-authenticated sessions or from IPs without prior login activity.

Why prioritize this

Although the CVSS score is Medium, this vulnerability should be prioritized for immediate remediation because: (1) the attack is trivial to execute and requires no user interaction or authentication; (2) the confidentiality impact is direct and high—including private posts and admin UI; (3) the affected plugin is widely installed across WordPress sites; and (4) the feature must be explicitly enabled but is likely enabled on many installations seeking performance improvements. The gap between numerical severity and practical risk warrants urgent patching.

Risk score, explained

The CVSS v3.1 score of 5.3 reflects a network-accessible, low-complexity attack requiring no privileges and no user interaction, resulting in a limited confidentiality impact. However, the score does not fully capture the risk that sensitive business data (private posts, administrator panels, nonces) is trivially accessible to any remote attacker. Organizations should weight the practical severity of information disclosure against the low barrier to exploitation and the prevalence of the plugin.

Frequently asked questions

Does this vulnerability require the WordPress site to be publicly accessible?

Yes, the attacker must be able to make HTTP requests to the site. If the site is behind a firewall or IP whitelist, the risk is significantly reduced. However, most WordPress sites are public, making this vulnerability broadly exploitable.

If I disable the 'Cache Logged-in Users' setting, am I safe?

Disabling this setting eliminates the vulnerability because the plugin will no longer serve cached content based on cookie-derived user identity. Performance benefits for logged-in users will be lost, but the information disclosure risk is removed. This is a safe interim measure until a patch is applied.

What information can an attacker actually see?

An attacker can view any cached page content that WordPress would generate for the spoofed user account—typically private posts, admin bar links, nonces, and any other page elements restricted to that user's role. The extent depends on what content exists and what the legitimate user's role permits.

Is this vulnerability in the WordPress core or in the Breeze plugin?

This is a flaw in the Breeze plugin's cache handling logic. WordPress core authentication is secure. Breeze fails to validate cookies properly before using them to select cached content, creating the vulnerability.

This analysis is provided for informational and educational purposes only and should not be construed as legal, security, or professional advice. Organizations must conduct their own risk assessment and consult with qualified security professionals before implementing any remediation steps. Patch and version information referenced here should be verified against the official Breeze and WordPress vendor documentation and advisories. No guarantee is made regarding the completeness or accuracy of this information as applied to any specific environment or configuration. Organizations are solely responsible for the security and integrity of their systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).