Attack Vectors

CVE-2025-13864 affects the Breeze – WordPress Cache Plugin (slug: breeze) in versions 2.2.21 and below with a Medium severity (CVSS 5.3). The issue can be exploited remotely over the internet when a site administrator has enabled Breeze’s API integration feature.

The core attack path is straightforward: an unauthenticated attacker can send a simple POST request to the Breeze REST endpoint /wp-json/breeze/v1/clear-all-cache and trigger cache clearing. This may include page cache, Varnish, and Cloudflare cache clearing, depending on how Breeze is configured in that environment.

Security Weakness

This is a missing authorization problem. The REST API endpoint is registered with a permissive access setting (permission_callback => '__return_true'), and authentication is disabled by default when the API is enabled. In business terms, the control that should restrict a powerful operational action (clearing caches) is not consistently enforced.

Importantly, the exposure depends on configuration: the vulnerability becomes actionable when an administrator has enabled the API integration feature in Breeze.

Technical or Business Impacts

While this vulnerability does not indicate data theft (the published vector lists no confidentiality impact), it can still create meaningful business risk. Unauthorized cache clearing can lead to performance instability, higher infrastructure load, and user-facing slowdowns—especially during campaigns, product launches, or peak traffic periods.

For marketing and executive stakeholders, the practical impacts can include reduced conversion rates due to slower pages, inconsistent user experience, and wasted ad spend if landing pages load poorly. Operations teams may also see increased support tickets and monitoring alerts, and compliance teams may need to document the incident response if the site’s availability or service performance is materially affected.

Remediation: Update Breeze to version 2.2.22 or newer (patched). Track this as a Medium-severity issue and prioritize it based on whether the Breeze API integration is enabled and whether your site relies on caching for performance and campaign outcomes.

Similar Attacks

Authorization gaps in exposed endpoints are a common way attackers trigger unwanted actions without needing credentials. For context, here are real, publicly documented examples of high-impact authorization failures (not necessarily WordPress-specific) that illustrate the broader pattern:

CVE-2021-44228 (Log4Shell) — a widely exploited flaw that showed how internet-exposed services can be targeted at scale when a simple request can trigger dangerous behavior.

CVE-2017-5638 (Apache Struts) — another example of a remotely exploitable weakness that attackers used to cause significant business disruption.