Atomic Edge analysis of CVE-2026-2128:
This vulnerability affects the Breeze Cache plugin for WordPress, up to version 2.5.2. The issue resides in the `inc/cache/execute-cache.php` file. The plugin’s improper verification of the `wordpress_logged_in_` cookie allows an unauthenticated attacker to access cached content intended for logged-in administrators. The CVSS score is 5.3 (Medium).
Root Cause: The vulnerability stems from the plugin’s caching mechanism for logged-in users. When the “Cache Logged-in Users” setting is enabled, the plugin uses the `substr()` function in `inc/cache/execute-cache.php` to parse the username directly from the `wordpress_logged_in_` cookie value (format `username|hash`). The plugin retrieves the corresponding cache file based on this extracted username. However, it never verifies the cookie’s cryptographic signature or validity with WordPress core. This means any value in the cookie is accepted without authentication. The specific code path is in `inc/cache/execute-cache.php`, where the cookie is parsed to determine the cache file to serve.
Exploitation: An unauthenticated attacker can send a crafted HTTP request to any page on the WordPress site. The attacker sets a `wordpress_logged_in_` cookie with a fabricated value, such as `wordpress_logged_in_fake=admin|fake`. The plugin parses the username `admin` from this cookie and serves the cached HTML content generated for an administrator. The attack requires no authentication and no special endpoint. The attacker simply sends a GET request with the crafted cookie to any URL on the site. The plugin’s caching logic then uses the cookie to identify the user, retrieves the cache file for that user role, and serves it.
Patch Analysis: The official patch (version 2.5.3) only updates the version numbers in `breeze.php`. The actual security fix must have been applied to `inc/cache/execute-cache.php` in a separate commit, as the diff shown does not include the functional patch. The fix should validate the `wordpress_logged_in_` cookie by verifying its cryptographic signature using WordPress’s `wp_verify_nonce()` or similar core functions. This ensures only legitimate, signed cookies are used to identify users for cache file serving. Before the patch, the plugin blindly trusted the cookie’s username field. After the patch, the plugin should discard invalid cookies and serve default (non-logged-in) cache content.
Impact: If exploited, this vulnerability allows an attacker to access sensitive information intended only for logged-in administrators. This includes private posts with full content, the Admin Bar (which reveals WordPress admin URLs and menu structures), and WordPress nonces (which can be used for CSRF attacks). The exposure of nonces can enable further attacks, such as privilege escalation or arbitrary content modification. The overall impact is information disclosure, which can compromise the confidentiality of the WordPress site.
