CVE-2026-2128
Description
The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the wordpress_logged_in_ cookie in the inc/cache/execute-cache.php file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., username|hash) using substr() to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., wordpress_logged_in_fake=admin|fake) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=2.5.2+ 1 more
- (no CPE)range: <=2.5.2
- (no CPE)range: <=2.5.2
Package: https://wordpress.org/plugins/breeze
Patches
Vulnerability mechanics
References
7- plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/browser/breeze/trunk/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/changeset/3456822/breeze/trunk/inc/cache/execute-cache.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f0b6c41d-833e-4ad4-bdb6-c38fef3eb7f4nvd
News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026
- WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026Vypr Intelligence · May 31, 2026