{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13864", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T21:30:14.873Z", "datePublished": "2026-02-19T04:36:12.578Z", "dateUpdated": "2026-04-08T16:54:59.642Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:59.642Z"}, "affected": [{"vendor": "cloudways", "product": "Breeze Cache", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.21", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature."}], "title": "Breeze \u2013 WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L19"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.php#L749"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425199%40breeze&new=3425199%40breeze&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "NosleeP"}], "timeline": [{"time": "2026-02-18T15:43:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:22:55.415890Z", "id": "CVE-2025-13864", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:37:10.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13864", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:22:55.415890Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:22:56.896Z"}}], "cna": {"title": "Breeze \u2013 WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion", "credits": [{"lang": "en", "type": "finder", "value": "NosleeP"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cloudways", "product": "Breeze Cache", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.21"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:43:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L19"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.php#L749"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425199%40breeze&new=3425199%40breeze&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:59.642Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13864", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:59.642Z", "dateReserved": "2025-12-01T21:30:14.873Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:12.578Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature."}, {"lang": "es", "value": "El plugin Breeze - WordPress Cache Plugin para WordPress es vulnerable al borrado de cach\u00e9 no autorizado en todas las versiones hasta la 2.2.21, inclusive. Esto se debe a que el endpoint de la API REST '/wp-json/breeze/v1/clear-all-cache' est\u00e1 registrado con 'permission_callback =&gt; '__return_true'' y la autenticaci\u00f3n est\u00e1 deshabilitada por defecto cuando la API est\u00e1 habilitada. Esto hace posible que atacantes no autenticados borren todas las cach\u00e9s del sitio (cach\u00e9 de p\u00e1gina, Varnish y Cloudflare) mediante una simple solicitud POST, siempre que el administrador haya habilitado la funci\u00f3n de integraci\u00f3n de la API."}], "id": "CVE-2025-13864", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:33.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.php#L749"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L19"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-api.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425199%40breeze&new=3425199%40breeze&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.21]"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "Breeze Cache", "source": "cna", "vendor": "cloudways"}, "product": "breeze", "vendor": "cloudways"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T15:55:40.917355+00:00", "value": {"mitigation_remediation": ["Upgrade Breeze Cache to the latest version that corrects the permission check on the cache\u2011clear endpoint.", "If an upgrade cannot be performed immediately, disable the API integration feature in the Breeze settings to prevent unauthenticated access to the REST endpoint.", "Ensure that the /wp-json/breeze/v1/clear-all-cache endpoint requires authentication or remove it entirely to eliminate the missing authorization weakness."], "summary": {"action": "Patch Now", "impact": "unauthenticated server cache deletion affecting availability and performance"}, "threat_synthesis": {"affected_systems": "The flaw exists in Breeze Cache for WordPress versions up to and including 2.2.21, as used by Cloudways. Users should check whether their sites are running any version in this range and upgrade if possible.", "description_and_impact": "The Breeze \u2013 WordPress Cache Plugin contains a REST API endpoint\n`/wp-json/breeze/v1/clear-all-cache` that is registered with the permission callback\n`__return_true`. The API integration feature is enabled by default, which means\nthe endpoint accepts requests without authentication. An attacker who can submit a\nsimple POST request to this URL can clear all caches managed by the plugin \u2013 page\ncache, Varnish, and Cloudflare \u2013 regardless of user privileges. The vulnerability\ndoes not compromise confidentiality but can degrade site performance and user\nexperience by causing caches to be rebuilt on every request.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate impact. The EPSS score of < 1% suggests that, while the vulnerability is technically exploitable, it is unlikely to be widely targeted or automated at present. The vulnerability is not listed in CISA's KEV catalog. Attackers would need network access to the target WordPress site and the capability to craft a POST request to the exposed REST endpoint. Because the permission callback always returns true and authentication is disabled when the API is enabled, no additional privileges are required to exploit the flaw."}}}}, "created": "2026-02-19T10:07:13.879465+00:00", "updated": "2026-04-21T16:00:13.277859+00:00", "vendors": ["cloudways", "cloudways$PRODUCT$breeze", "wordpress", "wordpress$PRODUCT$wordpress"]}