CVE-2025-23999

Vulnerability

The Breeze plugin for WordPress (versions from n/a through 2.2.13) contains a missing authorization vulnerability [1]. The plugin fails to properly enforce access control security levels for certain administrative actions. This affects all Breeze installations running any version up to and including 2.2.13, regardless of the underlying WordPress version [1].

Exploitation

An attacker with low-privileged access (e.g., a subscriber or contributor account) can exploit the incorrectly configured access controls to perform unauthorized actions. The exact sequence of steps is not disclosed in the available references, but the vulnerability can be triggered without requiring any special network position or user interaction beyond having a valid WordPress user account [1].

Impact

Successful exploitation allows an attacker to bypass intended authorization checks, potentially gaining access to administrative features of the Breeze plugin that should be restricted to higher-privileged users. This could lead to unauthorized modification of caching settings, configuration changes, or other sensitive plugin operations [1].

Mitigation

The vendor has released Breeze version 2.5.3 on 2026-05-21 [1], which likely contains a fix for this vulnerability. Users should update to the latest available version. If immediate update is not possible, ensure that only trusted users have accounts on the WordPress site, and review user roles and capabilities. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.