cleantalk
Vulnerabilities and Security Researches

Breeze – WordPress Cache Plugin, CVE-2025-13864

CVE, Research URL

CVE-2025-13864

Home page URL

Security reports for Breeze – WordPress Cache Plugin

Application

Breeze – WordPress Cache Plugin

Published on
Feb 19, 2026
Research Description
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
Affected versions
max 2.2.22.
Status
vulnerable
Previous vulnerability researches
JS Help Desk – Best Help Desk & Support Plugin (CVE-2026-32534) , Mar 29, 2026
JS Help Desk – Best Help Desk & Support Plugin (CVE-2026-32535) , Mar 29, 2026
JS Help Desk – Best Help Desk & Support Plugin (CVE-2024-7094) , Aug 14, 2024
JS Help Desk – Best Help Desk & Support Plugin (CVE-2024-13607) , Feb 05, 2025
JS Help Desk – Best Help Desk & Support Plugin (CVE-2025-30880) , Apr 03, 2025
New vulnerability
YayMail – WooCommerce Email Customizer (CVE-2026-27327) , Mar 29, 2026
Strong Testimonials (CVE-2026-24957) , Mar 29, 2026
BackWPup – WordPress Backup Plugin (CVE-2025-15041) , Mar 29, 2026
hCaptcha for WordPress (CVE-2026-25315) , Mar 29, 2026
Breeze – WordPress Cache Plugin (CVE-2025-13864) , Mar 29, 2026