[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fj-590JY16tC2bWXgziJbw8__MsH9NFjnTpqmpZIgqkg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":9,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":35},"CVE-2026-2128","breeze-cache-unauthenticated-exposure-of-sensitive-information-to-an-unauthorized-actor-via-crafted-login-cookie","Breeze Cache \u003C= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie","The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc\u002Fcache\u002Fexecute-cache.php` file when the \"Cache Logged-in Users\" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.","breeze",null,"\u003C=2.5.2","2.5.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-28 14:55:00","2026-05-29 03:39:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff0b6c41d-833e-4ad4-bdb6-c38fef3eb7f4?source=api-prod",1,[22,23,24],"breeze.php","changelog.txt","readme.txt","researched",false,3,"# Research Plan: CVE-2026-2128 - Breeze Cache Sensitive Information Exposure\n\n## 1. Vulnerability Summary\nThe Breeze Cache plugin (versions \u003C= 2.5.2) contains a flaw in its early-loading cache execution logic. When the \"Cache Logged-in Users\" feature is enabled, the plugin attempts to serve user-specific cached HTML files by identifying the user from the `wordpress_logged_in_` cookie. \n\nThe vulnerability exists in `inc\u002Fcache\u002Fexecute-cache.php` because the plugin parses the username directly from the cookie string using `substr()` and `strpos()` without validating the cryptographic HMAC signature attached to the WordPress cookie. An unauthenticated attacker can provide a malformed or crafted cookie that specifies a high-privilege username (e.g., `admin`), prompting the plugin to serve the cached version of a page intended only for that administrator. This exposes private posts, admin bars, nonces, and other sensitive session-specific data.\n\n## 2. Attack Vector Analysis\n- **Vulnerable File:** `inc\u002Fcache\u002Fexecute-cache.php`\n- **Trigger Setting:** The \"Cache Logged-in Users\" option must be enabled (`breeze-cache-logged-in-user`).\n- **HTTP Parameter:** `Cookie` header containing a key starting with `wordpress_logged_in_`.\n- **Payload Structure:** `wordpress_logged_in_[hash]=[username]|[anything]`\n- **Authentication:** Unauthenticated.\n- **Precondition:** A cached version of the target page for the target user must already exist in the `wp-content\u002Fcache\u002Fbreeze\u002F` directory.\n\n## 3. Code Flow\n1. **Request Initialization:** A request is made to a WordPress URL.\n2. **Early Loading:** WordPress (or `advanced-cache.php`) includes `inc\u002Fcache\u002Fexecute-cache.php` early in the boot process.\n3. **Cookie Parsing:** The code iterates through `$_COOKIE` to find a key matching `wordpress_logged_in_`.\n4. **Insecure Extraction:**\n   - It identifies the cookie value.\n   - It finds the first pipe `|` character.\n   - It extracts everything before the pipe as the `$username`.\n   - **Crucially:** It does not call `wp_validate_auth_cookie()` or any signature verification because the full WordPress environment isn't always loaded at this stage of caching.\n5. **Cache Lookup:**\n   - The plugin generates a cache key based on the URL and the extracted `$username`.\n   - It constructs a file path: `wp-content\u002Fcache\u002Fbreeze\u002F[url_hash]\u002Fbreeze_[user_hash].html` (or similar).\n6. **Information Disclosure:** If the file exists, it is read and printed to the output buffer using `readfile()` or `file_get_contents()`, then execution terminates (`exit`).\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.**\nThe vulnerability occurs during the cache-serving phase, which happens before WordPress processes nonces. In fact, one of the primary impacts of this vulnerability is the **leakage of valid administrative nonces** found within the served cached HTML, which could then be used for further attacks.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover the Admin Username\nIdentify a valid administrator username (usually `admin` or can be found via author archives).\n\n### Step 2: Prepare the Target\nWait for (or trigger) the administrator to visit a sensitive page (like a private post or the homepage) while \"Cache Logged-in Users\" is active. This populates the cache.\n\n### Step 3: Craft the Request\nSend an unauthenticated request to the target URL with a spoofed login cookie.\n\n**HTTP Request:**\n```http\nGET \u002F?p=[private_post_id] HTTP\u002F1.1\nHost: localhost\nCookie: wordpress_logged_in_bypass=[admin_username]|invalid_hash_ignored_by_plugin\n```\n\n**Payload Details:**\n- **Cookie Name:** Must start with `wordpress_logged_in_`. The suffix doesn't matter as the plugin typically uses `strpos($key, 'wordpress_logged_in_') === 0`.\n- **Cookie Value:** `admin|12345`. The plugin splits at the first `|` and takes `admin` as the identity.\n\n### Step 4: Analyze Response\nIf successful, the response will contain the HTML rendered for the admin, including:\n- Content of private\u002Fdraft posts.\n- The WordPress Admin Bar (at the top of the HTML).\n- Administrative nonces (e.g., `_wpnonce`).\n\n## 6. Test Data Setup\n1. **Install Plugin:** Install Breeze Cache version 2.5.2.\n2. **Configure Plugin:**\n   - Use `wp option update breeze_manager_options ...` to enable caching.\n   - Specifically, set `breeze-cache-logged-in-user` to `1`.\n3. **Create Content:**\n   - Create an admin user: `wp user create victim_admin admin@example.com --role=administrator --user_pass=password123`.\n   - Create a private post: `wp post create --post_title='Secret Admin Intel' --post_content='Flag: EXFIL_SUCCESS' --post_status=private --post_author=[admin_id]`.\n4. **Generate Cache:**\n   - Use the `browser_navigate` tool to log in as `victim_admin`.\n   - Navigate to the private post URL to ensure Breeze generates a cache file for this user.\n   - Verify the cache file exists in `wp-content\u002Fcache\u002Fbreeze\u002F`.\n\n## 7. Expected Results\n- The HTTP response from the unauthenticated request (with the crafted cookie) should return `200 OK`.\n- The body of the response should contain the string `Flag: EXFIL_SUCCESS`.\n- The body should contain the class `admin-bar`, indicating the server \"thinks\" it's serving a logged-in administrator.\n\n## 8. Verification Steps\n1. **Check Cache Directory:** Use `ls -R wp-content\u002Fcache\u002Fbreeze\u002F` to confirm files are being created with user-specific identifiers in their names.\n2. **Examine Response Content:** Verify that the `http_request` response for the private post does NOT return a 404 or a login redirect, but instead returns the full content of the private post.\n\n## 9. Alternative Approaches\nIf the standard `wordpress_logged_in_` cookie name is not being picked up:\n- Check if the site uses a custom `COOKIEHASH`. The plugin may look for `wordpress_logged_in_` followed by a specific MD5 hash. This hash can be calculated from the site URL.\n- Try requesting the homepage (`\u002F`). Often the homepage is cached for admins and contains \"Edit Post\" links and nonces that prove the bypass.\n- If the username extraction uses a different delimiter in newer PHP versions or specific OS environments, test `admin%7Cfake` (URL encoded) vs `admin|fake`. (The source specifically mentions `substr` on the raw cookie value).","The Breeze Cache plugin (versions \u003C= 2.5.2) is vulnerable to sensitive information disclosure when the \"Cache Logged-in Users\" feature is active. The plugin extracts usernames from the 'wordpress_logged_in_' cookie without verifying its cryptographic HMAC signature, allowing unauthenticated attackers to view cached pages generated for other users, such as administrators, by providing a crafted cookie.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Fbreeze.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Fbreeze.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Fbreeze.php\t2026-05-15 07:59:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Fbreeze.php\t2026-05-21 11:01:36.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n  * Plugin Name: Breeze\n  * Description: Breeze is a cache plugin with extensive options to speed up your website. All the options including Varnish Cache are compatible with Cloudways hosting.\n- * Version: 2.5.2\n+ * Version: 2.5.3\n  * Text Domain: breeze\n  * Domain Path: \u002Flanguages\n  * Author: Cloudways\n@@ -37,7 +37,7 @@\n \tdefine( 'BREEZE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );\n }\n if ( ! defined( 'BREEZE_VERSION' ) ) {\n-\tdefine( 'BREEZE_VERSION', '2.5.2' );\n+\tdefine( 'BREEZE_VERSION', '2.5.3' );\n }\n if ( ! defined( 'BREEZE_SITEURL' ) ) {\n \tdefine( 'BREEZE_SITEURL', get_site_url() );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Fchangelog.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Fchangelog.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Fchangelog.txt\t2026-05-15 07:59:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Fchangelog.txt\t2026-05-21 11:01:36.000000000 +0000\n@@ -1,5 +1,9 @@\n == Changelog ==\n \n+= 2.5.3 =\n+\n+* Compatibility: Verified compatibility with WordPress 7.0.\n+\n = 2.5.2 =\n \n * Improved: Refined multisite handling across settings, cache management, import\u002Fexport, and reset actions for more consistent behavior and better scope control.\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.2\u002Freadme.txt\t2026-05-15 07:59:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbreeze\u002F2.5.3\u002Freadme.txt\t2026-05-21 11:01:36.000000000 +0000\n@@ -2,9 +2,9 @@\n Contributors: Cloudways\n Tags: cache,caching, performance, wp-cache, cdn\n Requires at least: 6.0\n-Tested up to: 6.9\n+Tested up to: 7.0\n Requires PHP: 7.4\n-Stable tag: 2.5.2\n+Stable tag: 2.5.3\n License: GPLv2 or later\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n \n@@ -160,6 +160,10 @@\n \n == Changelog ==\n \n+= 2.5.3 =\n+\n+* Compatibility: Verified compatibility with WordPress 7.0.\n+\n = 2.5.2 =\n \n * Improved: Refined multisite handling across settings, cache management, import\u002Fexport, and reset actions for more consistent behavior and better scope control.","1. Target Site Setup: Ensure the 'Cache Logged-in Users' setting is enabled in the Breeze Cache plugin and identify a target username (e.g., 'admin').\n2. Populate Cache: Confirm that a cached file for the target user exists for the URL you intend to request. This typically happens when the user visits the page while logged in.\n3. Craft Payload: Create a HTTP GET request to the target URL.\n4. Inject Spoofed Cookie: Add a 'Cookie' header containing a key starting with 'wordpress_logged_in_'. The value must be formatted as '[target_username]|', followed by any character (e.g., 'wordpress_logged_in_spoof=admin|anything').\n5. Execution: Send the request unauthenticated. The plugin's early-loading cache logic will parse the username from the crafted cookie without validating the signature and serve the cached HTML file associated with that user.\n6. Exfiltration: Analyze the response for sensitive content such as private post data, the WordPress Admin Bar, and administrative nonces.","gemini-3-flash-preview","2026-06-04 15:42:22","2026-06-04 15:42:49",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbreeze\u002Ftags\u002F2.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbreeze.2.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbreeze\u002Ftags\u002F2.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbreeze.2.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbreeze\u002Ftags"]