CVE-2025-13864 MEDIUM

CVE-2025-13864: Breeze – WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion

Vendor Cloudways
Product Breeze Cache
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.

Explanation of Vulnerability in Simple Terms

02Summary

Breeze Cache for Cloudways versions up to 2.2.21 lack proper authorization checks, allowing unauthenticated attackers to modify cached content or settings over the network. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update to a version newer than 2.2.21 to restore proper access controls.

What an attacker can do

03Attacker Capabilities

Modify cached content or cache settings without authentication.

Potential impact on your site

04Site Impact

Attackers can alter cached pages or disable caching, affecting site integrity and performance.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated