{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69364", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:41.875Z", "datePublished": "2026-01-06T16:36:42.620Z", "dateUpdated": "2026-04-28T16:14:38.858Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "breeze", "product": "Breeze", "vendor": "Cloudways", "versions": [{"changes": [{"at": "2.2.22", "status": "unaffected"}], "lessThanOrEqual": "2.2.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:11.086Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Breeze: from n/a through <= 2.2.21.</p>"}], "value": "Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.858Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Breeze plugin <= 2.2.21 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T21:36:46.013488Z", "id": "CVE-2025-69364", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:53:30.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T21:36:46.013488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T21:36:40.461Z"}}], "cna": {"title": "WordPress Breeze plugin <= 2.2.21 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cloudways", "product": "Breeze", "versions": [{"status": "affected", "changes": [{"at": "2.2.22", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.21"}], "packageName": "breeze", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:11.086Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Breeze: from n/a through <= 2.2.21.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.591Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69364", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:53:30.518Z", "dateReserved": "2025-12-31T20:12:41.875Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:42.620Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21."}], "id": "CVE-2025-69364", "lastModified": "2026-04-27T21:16:25.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:49.023", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:50:21.807265+00:00", "value": {"mitigation_remediation": ["Update the Breeze plugin to a version newer than 2.2.21 according to the vendor\u2019s recommendation.", "Configure WordPress to restrict access to Breeze\u2011related settings and administrative actions exclusively to administrators or highly privileged roles.", "Inspect and tighten any custom role capabilities that may grant unnecessary access to Breeze functions, and monitor site logs for anomalous activity."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects the Breeze plugin from early releases up through version 2.2.21, released by Cloudways. Any WordPress installation running Breeze 2.2.21 or earlier is at risk, regardless of the WordPress core version.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Breeze plugin for WordPress, which allows an unauthenticated or low\u2011privileged user to perform actions that should be limited to authorized administrators. The flaw is due to incorrectly configured access control security levels, enabling potential exploitation of administrative functions such as configuring settings, viewing site information, or creating new content. The potential impact includes unauthorized data disclosure, modification, or creation within the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the flaw as moderate severity, and the EPSS value of less than 1% indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Because the flaw relies on incorrect access control in a publicly exposed plugin, the attack vector is likely through the web interface of the WordPress site without additional privilege. An attacker can exploit the flaw by sending crafted requests to Breeze\u2011controlled endpoints while authenticated as a regular user or, in some configurations, even as an unauthenticated visitor if the plugin is misconfigured to expose certain endpoints."}}}}, "created": "2026-01-07T10:08:52.196406+00:00", "updated": "2026-04-27T22:00:16.543251+00:00", "vendors": ["cloudways", "cloudways$PRODUCT$breeze", "wordpress", "wordpress$PRODUCT$wordpress"]}