CVE-2026-10551 in Breeze Cache Plugininfo

Summary

by MITRE • 07/13/2026

The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability in the Breeze Cache WordPress plugin affects versions prior to 2.5.6 and represents a critical stored cross-site scripting flaw that can be exploited by unauthenticated attackers. This issue arises from a predictable replacement hash mechanism employed during the HTML minification process, which creates a systematic pattern that attackers can leverage to inject malicious code into the final rendered HTML output. The vulnerability specifically stems from how the plugin handles placeholder replacement during content processing, where the predictable nature of these placeholders allows adversaries to craft malicious input that will be correctly interpreted and executed by web browsers when the cached content is served.

The technical implementation of this flaw involves a regular expression pattern that processes HTML elements and replaces them with predictable hash-based placeholders. When attackers can anticipate the structure of these placeholders, they can inject specially crafted HTML attributes that will be properly rendered in the final output. This occurs because the minification process does not adequately sanitize or validate the content before substitution, allowing malicious payloads to persist in the cached HTML. The predictable nature of the replacement hashes means that an attacker can construct input that matches the expected placeholder format and successfully inject arbitrary script tags or other malicious attributes into the page structure.

From an operational perspective, this vulnerability enables attackers to execute malicious scripts in the context of any user viewing the affected pages, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The stored nature of the XSS means that once a malicious payload is injected, it will persist and affect all users who access the cached content until the cache is cleared or the plugin is updated. This makes the vulnerability particularly dangerous as it can remain active for extended periods without detection, especially in high-traffic environments where caching mechanisms are heavily utilized.

The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows patterns commonly seen in web application security issues related to inadequate input sanitization during content processing. From an attacker's perspective, this vulnerability maps to ATT&CK technique T1566.001 for initial access through malicious HTML injection, and potentially T1584.002 for infrastructure compromise if attackers can establish persistent malicious content delivery. Organizations using this plugin should immediately implement the available patch to version 2.5.6 or higher, while also considering temporary mitigation strategies such as implementing web application firewalls that can detect and block suspicious HTML injection patterns in cached content.

Security practitioners should monitor for indicators of compromise related to malicious script injection in cached pages and consider implementing content security policies that restrict script execution from unauthorized sources. The vulnerability demonstrates the importance of proper input validation during content processing operations, particularly in caching mechanisms where content transformations occur. Organizations should also conduct thorough audits of their plugin ecosystem to identify similar predictable replacement patterns that could lead to comparable vulnerabilities. Given the widespread use of caching plugins in wordpress environments, this type of vulnerability can have significant impact across multiple sites and organizations that rely on similar minification approaches.

Responsible

WPScan

Reservation

06/01/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!