Security Alert Summary
The Breeze plugin for WordPress contains a vulnerability that can expose cached HTML pages intended for logged-in users to unauthenticated visitors when the “Cache Logged-in Users” setting is enabled. The plugin parses the username from the wordpress_logged_in_ cookie without verifying the cookie signature or session validity, which can lead to disclosure of private posts, the Admin Bar, WordPress nonces, and other data visible only to authenticated users.
CVE Details
- CVE ID: CVE-2026-2128
- Affected component: Breeze plugin for WordPress (cache handling)
- Affected versions: All versions up to, and including, 2.5.2
- Published: May 29, 2026 at 5:16:19 AM
- Last modified: May 29, 2026 at 1:09:05 PM
- CVSS v3.1: Base Score 5.3, Severity MEDIUM
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - Attack characteristics: Network attack vector, Low attack complexity
- Authentication / privileges / user interaction: No authentication required; Privileges Required: None; User Interaction: None
- Primary impact: Confidentiality: Low; Integrity: None; Availability: None
- Weakness (CWE): CWE-200 (Exposure of Sensitive Information)
Technical Details
The vulnerability exists in the cache execution logic of the Breeze plugin (file: inc/cache/execute-cache.php). When the “Cache Logged-in Users” feature is enabled, the plugin parses the username component from the wordpress_logged_in_ cookie value (for example, a value like username|hash) using substr() and then selects a corresponding cache file to serve.
The plugin does not verify the cookie’s cryptographic signature or the session validity with WordPress core before using the parsed username to fetch and serve cached HTML. Because of that missing verification, an unauthenticated actor can supply a crafted cookie (for example, wordpress_logged_in_fake=admin|fake) that causes the plugin to serve cached content generated for that username.
Impact is limited to the cached HTML that the plugin will serve for the targeted username. That cached output may include private posts and their full content, the Admin Bar, WordPress nonces, and other data that would normally only be visible to the authenticated account whose cache was served.
How This Could Impact Your Website
On a multi-user WordPress site, this vulnerability could allow an unauthenticated visitor to obtain cached pages intended for administrative or other privileged users. For example, a site owner or administrator could find private posts and admin-only UI elements exposed, while internal staff or external contributors might have content or links shown that reveal project details or contact information.
Concretely, this could lead to exposure of internal user email addresses and other information contained in private posts or admin pages, increasing the risk of targeted phishing or social engineering against staff and contractors. The issue is limited to the content present in the served cache files and does not, from the provided data, indicate arbitrary code execution or full site takeover.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Temporarily disable the “Cache Logged-in Users” setting until you can confirm a secure plugin version is installed.
- Review and reduce unnecessary user roles, especially contributor-level and higher accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior related to cached page access.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.php#L132
- https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.php#L140
- https://plugins.trac.wordpress.org/browser/breeze/trunk/inc/cache/execute-cache.php#L140
- https://plugins.trac.wordpress.org/changeset/3456822/breeze/trunk/inc/cache/execute-cache.php
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fbreeze/tags/2.2.24&new_path=%2Fbreeze/tags/2.3.0
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fbreeze/tags/2.5.2&new_path=%2Fbreeze/tags/2.5.3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f0b6c41d-833e-4ad4-bdb6-c38fef3eb7f4?source=cve