cleantalk
Vulnerabilities and Security Researches

Breeze – WordPress Cache Plugin, CVE-2026-2128

CVE, Research URL

CVE-2026-2128

Home page URL

Security reports for Breeze – WordPress Cache Plugin

Application

Breeze – WordPress Cache Plugin

Published on
May 29, 2026
Research Description
The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
Affected versions
max 2.5.3.
Status
vulnerable
Previous vulnerability researches
GutenBee – Gutenberg Blocks (CVE-2025-8566) , Oct 11, 2025
GutenBee – Gutenberg Blocks (CVE-2026-9227) , May 30, 2026
New vulnerability
Breeze – WordPress Cache Plugin (CVE-2026-2128) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-6226) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-7802) , May 30, 2026
EventPress (CVE-2026-6268) , May 30, 2026
WPComplete (CVE-2026-42750) , May 30, 2026