Vulnerabilities and security researches forbreeze breeze
Direction: ascendingJun 07, 2024
Breeze – WordPress Cache Plugin # CVE-2024-27188
- CVE, Research URL
- Application
- Date
- Mar 27, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cloudways Breeze allows Stored XSS.This issue affects Breeze: from n/a through 2.1.3.
- Affected versions
-
max 2.1.4.
- Status
-
vulnerable
Breeze – WordPress Cache Plugin # CVE-2022-29444
- CVE, Research URL
- Application
- Date
- May 03, 2022
- Research Description
- Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.
- Affected versions
-
max 2.0.9.
- Status
-
vulnerable
Oct 27, 2024
Breeze – WordPress Cache Plugin # CVE-2024-50422
- CVE, Research URL
- Application
- Date
- Oct 30, 2024
- Research Description
- Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.1.14.
- Affected versions
-
max 2.1.15.
- Status
-
vulnerable
Breeze – WordPress Cache Plugin # CVE-2024-50431
- CVE, Research URL
- Application
- Date
- Oct 29, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Cloudways Breeze allows Stored XSS.This issue affects Breeze: from n/a through 2.1.14.
- Affected versions
-
max 2.1.15.
- Status
-
vulnerable
Jul 03, 2025
Breeze – WordPress Cache Plugin # CVE-2025-23999
- CVE, Research URL
- Application
- Date
- Jun 18, 2025
- Research Description
- Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13.
- Affected versions
-
max 2.2.14.
- Status
-
vulnerable
Jan 28, 2026
Breeze – WordPress Cache Plugin # CVE-2025-69364
- CVE, Research URL
- Application
- Date
- Jan 06, 2026
- Research Description
- Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21.
- Affected versions
-
max 2.2.21.
- Status
-
vulnerable
Mar 29, 2026
Breeze – WordPress Cache Plugin # CVE-2025-13864
- CVE, Research URL
- Application
- Date
- Feb 19, 2026
- Research Description
- The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
- Affected versions
-
max 2.2.22.
- Status
-
vulnerable
Apr 24, 2026
Breeze – WordPress Cache Plugin # CVE-2026-3844
- CVE, Research URL
- Application
- Date
- Apr 23, 2026
- Research Description
- The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
- Affected versions
-
max 2.4.5.
- Status
-
vulnerable