CVE-2025-13864 is a missing authorization vulnerability (CWE-862) affecting all versions of the Breeze Cache plugin for WordPress up to and including version 2.2.21. The vulnerability stems from the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with a permission callback set to `__return_true`, effectively bypassing any authorization checks. Additionally, the API integration feature that enables this endpoint disables authentication by default, allowing unauthenticated attackers to send a simple POST request to clear all caches managed by Breeze, including page cache, Varnish, and Cloudflare caches. This can lead to performance degradation, increased server load, and potential denial of service due to cache misses and increased backend processing. The vulnerability does not impact confidentiality or availability directly but affects integrity by allowing unauthorized modification of cache state. The CVSS 3.1 base score is 5.3 (medium), reflecting the ease of exploitation (network vector, no privileges, no user interaction) and limited impact scope (integrity only). No patches are currently linked, and no known exploits are reported in the wild, but the risk remains significant for sites relying on Breeze Cache with API integration enabled.

For European organizations, this vulnerability can disrupt website performance and availability by allowing attackers to clear caches without authorization. This can increase server load, slow down page delivery, and degrade user experience, which is critical for e-commerce, media, and service providers relying on WordPress. While it does not directly expose sensitive data or cause data loss, the integrity of cache management is compromised, potentially leading to temporary denial of service conditions. Organizations with high traffic volumes or those using Varnish and Cloudflare caching in conjunction with Breeze Cache are particularly vulnerable. The disruption could also affect SEO rankings and customer trust if websites become slow or intermittently unavailable. Given the widespread use of WordPress in Europe, especially in countries with large digital economies, the impact could be significant if exploited at scale.

1. Immediately disable the Breeze Cache API integration feature if it is not essential to your operations to prevent exposure of the vulnerable endpoint. 2. If API integration is required, restrict access to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` by implementing IP whitelisting or authentication proxies to ensure only trusted users or systems can invoke it. 3. Monitor web server and application logs for suspicious POST requests targeting the Breeze cache clear endpoint. 4. Apply vendor patches or updates as soon as they become available to enforce proper authorization checks on the endpoint. 5. Consider implementing Web Application Firewall (WAF) rules to block unauthorized requests to the Breeze REST API endpoints. 6. Educate administrators about the risks of enabling API integration without proper access controls. 7. Regularly audit WordPress plugins and their configurations to ensure security best practices are followed.