Breeze – WordPress Cache Plugin < 2.2.22 – Missing Authorization to Cache Deletion | CVE 2025-13864 | Plugin Vulnerabilities

Description

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.

Affects Plugins

Fixed in 2.2.22

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f0-2e021534c054

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

NosleeP++

Verified

No

WPVDB ID

470c7d50-9df7-401e-9873-278e1f7a157e

Timeline

Publicly Published

2026-02-18 (about 2 months ago)

Added

2026-02-18 (about 2 months ago)

Last Updated

2026-02-19 (about 2 months ago)

Other

Published

Title

Published

2026-01-04

Title

MapIt <= 3.0.3 - Missing Authorization

Published

2025-05-19

Title

GDPR CCPA Compliance Support < 2.7.4 - Missing Authorization

Published

2025-11-22

Title

HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset

Published

2024-06-06

Title

Copymatic – AI Content Writer & Generator < 2.0 - Missing Authorization

Published

2024-04-04

Title

Happy Addons for Elementor < 3.10.5 - Incorrect Authorization to Information Exposure