CVE-2026-2128
Description
The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the wordpress_logged_in_ cookie in the inc/cache/execute-cache.php file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., username|hash) using substr() to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., wordpress_logged_in_fake=admin|fake) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-2128: Breeze plugin ≤2.5.2 fails to validate logged-in cookie signature, allowing unauthenticated attackers to read cached admin pages.
Vulnerability
The Breeze plugin for WordPress versions up to and including 2.5.2 contains an improper cookie verification vulnerability in the inc/cache/execute-cache.php file. When the "Cache Logged-in Users" setting is enabled, the code extracts the username from the wordpress_logged_in_ cookie using a substr() call to determine which per-user cache folder to serve. However, it does not validate the cryptographic signature or session validity of the cookie against WordPress core [1][2]. This allows an unauthenticated attacker to supply a crafted cookie (e.g., wordpress_logged_in_fake=admin|fake) to impersonate any logged-in user.
Exploitation
An attacker can send a crafted HTTP request containing a malicious wordpress_logged_in_ cookie with an arbitrary username value. No prior authentication or special network position is required. The plugin parses the cookie value and, based on the extracted username, tries to serve the corresponding cached HTML file. If the cache for that user exists, the attacker receives the cached page intended for the legitimate user [1][2].
Impact
Successful exploitation leads to unauthorized disclosure of sensitive information that should only be visible to authenticated users. This includes the content of private posts, the Admin Bar, WordPress nonces, and other admin-specific elements. The information can be used for further attacks, such as privilege escalation or bypassing security controls.
Mitigation
The vulnerability has been fixed in version 2.5.3 of the Breeze plugin. Users are advised to update to the latest version immediately. As a temporary workaround, site administrators can disable the "Cache Logged-in Users" setting in the plugin's configuration until the update is applied.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.5.2+ 1 more
- (no CPE)range: <=2.5.2
- (no CPE)range: <=2.5.2
Package: https://wordpress.org/plugins/breeze
Patches
1r3456822Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/browser/breeze/trunk/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/changeset/3456822/breeze/trunk/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f0b6c41d-833e-4ad4-bdb6-c38fef3eb7f4nvd
News mentions
0No linked articles in our index yet.