CVE-2025-13864
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Cache Clearing in Breeze WordPress Cache Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13864
EUVD
EUVD-2025-207864
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence breeze 2.2.22
wordfence breeze to 2.2.21 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Breeze - WordPress Cache Plugin for WordPress has a vulnerability in all versions up to and including 2.2.21. This vulnerability allows unauthorized users to clear all site caches without authentication. It occurs because the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` is registered with a permission callback that always returns true, and authentication is disabled by default when the API integration feature is enabled by the administrator.

Impact Analysis

This vulnerability allows unauthenticated attackers to clear all caches on the affected WordPress site, including page cache, Varnish, and Cloudflare caches. This can lead to performance degradation as cached content is removed, potentially increasing server load and slowing down the website for legitimate users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart