Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
The Breeze WordPress Plugin Allows Unapproved Cache Clearing
CVE-2025-13864
Summary
The Breeze WordPress plugin has a security flaw that lets anyone clear your website's cache without permission. This means that an attacker could make your website seem broken or show incorrect information to visitors. To fix this, update the plugin to the latest version or disable the REST API integration feature to prevent unauthorized cache clearing.
Original title
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/br...
Original description
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/breeze-admin.p...
- https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-a...
- https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.21/inc/class-breeze-a...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a3c16a5-65e5-4fe9-b7f...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026