Breeze Cache Unauthenticated Information Exposure Vulnerability

A vulnerability exists in the Breeze plugin for WordPress, specifically in versions up to and including 2.5.2. This vulnerability allows for unauthorized exposure of sensitive information. The issue arises from improper verification of the 'wordpress_logged_in_' cookie in the 'inc/cache/execute-cache.php' file when the 'Cache Logged-in Users' setting is enabled. The plugin directly parses the username from the cookie value using 'substr()' to retrieve the corresponding cache file, but fails to validate the session's cryptographic signature or integrity with WordPress core. As a result, unauthenticated attackers can send a crafted cookie to manipulate the plugin into delivering cached HTML meant for an administrator. This exploitation can lead to the disclosure of sensitive data, including private posts, the Admin Bar, WordPress nonces, and other information accessible only to logged-in administrators or certain users.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive information, such as private posts and administrative data, by allowing attackers to impersonate an administrator through manipulated cookie values.

Reproduction

To reproduce this vulnerability, first ensure that the Breeze plugin is installed and activated on a WordPress site. Then, navigate to the plugin's settings and enable the 'Cache Logged-in Users' option. After this, an unauthenticated user can send a request with a crafted 'wordpress_logged_in_' cookie that includes a username and hash. The Breeze plugin will then serve cached content intended for the administrator, including sensitive information like private posts and administrative tools.

Remediation

Users are advised to update the Breeze plugin to version 2.5.3 or later, where this vulnerability has been patched.