CVE-2025-13864
Unauthorized Cache Clearing in Breeze WordPress Cache Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | breeze | 2.2.22 |
| wordfence | breeze | to 2.2.21 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Breeze - WordPress Cache Plugin for WordPress has a vulnerability in all versions up to and including 2.2.21. This vulnerability allows unauthorized users to clear all site caches without authentication. It occurs because the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` is registered with a permission callback that always returns true, and authentication is disabled by default when the API integration feature is enabled by the administrator.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to clear all caches on the affected WordPress site, including page cache, Varnish, and Cloudflare caches. This can lead to performance degradation as cached content is removed, potentially increasing server load and slowing down the website for legitimate users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know