CVE-2026-2128 MEDIUM

CVE-2026-2128: Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie

Vendor Cloudways
Product Breeze Cache
Weakness CWE-200 · Info exposure
Published May 29, 2026
Last update May 29, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.

Explanation of Vulnerability in Simple Terms

02Summary

Breeze Cache versions 2.5.2 and earlier expose sensitive information that can be accessed over the network without authentication. An attacker can retrieve this data directly, potentially gaining access to cached content or configuration details not intended for public view. Update to a version newer than 2.5.2 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive cached data or configuration information without logging in.

Potential impact on your site

04Site Impact

Visitors or attackers can access private cached content, potentially exposing user data or site configuration.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated