Skip to main content

Breeze Cache

1 CVEs product

Monthly

CVE-2026-10551 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Breeze Cache WordPress plugin (versions before 2.5.6) allows unauthenticated attackers to inject arbitrary HTML attributes into cached page output by exploiting a predictable placeholder hash format used during HTML minification. The root cause is a weak, guessable replacement token generated during the minification pipeline combined with a flawed regular expression, meaning an attacker who can submit content to the site can anticipate the placeholder pattern and craft input that survives minification as injected markup. A publicly available proof-of-concept exploit exists; this vulnerability has not been confirmed in CISA KEV at time of analysis, but the low attack complexity and unauthenticated access requirement make it a realistic opportunistic target across WordPress deployments using this plugin.

XSS WordPress Breeze Cache
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Breeze Cache WordPress plugin (versions before 2.5.6) allows unauthenticated attackers to inject arbitrary HTML attributes into cached page output by exploiting a predictable placeholder hash format used during HTML minification. The root cause is a weak, guessable replacement token generated during the minification pipeline combined with a flawed regular expression, meaning an attacker who can submit content to the site can anticipate the placeholder pattern and craft input that survives minification as injected markup. A publicly available proof-of-concept exploit exists; this vulnerability has not been confirmed in CISA KEV at time of analysis, but the low attack complexity and unauthenticated access requirement make it a realistic opportunistic target across WordPress deployments using this plugin.

XSS WordPress Breeze Cache
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy