CVE-2026-10551 PUBLISHED

Breeze Cache < 2.5.6 - Unauthenticated Stored XSS via Minify Library

Assigner: WPScan
Reserved: 01.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

Product Status

Vendor Unknown
Product Breeze Cache
Versions Default: unaffected
  • affected from 0 to 2.5.6 (excl.)

Credits

  • Matthew Rollings finder
  • WPScan coordinator

References

Problem Types

  • CWE-79 Cross-Site Scripting (XSS) CWE