Home

Description

The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

PUBLISHED Reserved 2026-06-01 | Published 2026-07-13 | Updated 2026-07-13 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 2.5.6
affected

Credits

Matthew Rollings finder

WPScan coordinator

References

wpscan.com/...rability/381fb82f-2fdc-49cb-bb0d-8d70ead61d86/ exploit vdb-entry technical-description

cve.org (CVE-2026-10551)

nvd.nist.gov (CVE-2026-10551)

Download JSON