RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: breeze-cache (1 article)Clear
vulnerability
CVE-2026-3844
2026-04-23

Attackers actively exploiting critical unauthenticated file upload flaw in Breeze Cache WordPress plugin on 400,000 sites (CVE-2026-3844)

Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.

wordpressbreeze-cachecloudwaysunauthenticated-rcefile-uploadactively-exploitedwordfence
Check
Check every WordPress installation you run or manage (including marketing microsites, staff personal sites on corporate subdomains, and legacy tenant sites) for the Breeze Cache plugin and its version.
Affected
Breeze Cache WordPress plugin versions 2.4.4 and earlier, but only when the 'Host Files Locally - Gravatars' sub-feature has been enabled. CVSS 9.8. Discovered by security researcher Hung Nguyen (bashu). If you do not run that sub-feature the plugin is not currently exploitable via this bug, but the fix should still be applied immediately.
Fix
Update Breeze Cache to version 2.4.5 immediately across every site that uses it. If you cannot update straight away, disable the 'Host Files Locally - Gravatars' option or temporarily deactivate the plugin entirely. After patching, hunt the site's wp-content/uploads/cache directory and similar writable paths for recently-created .php files and files with mismatched MIME types, check for new WordPress admin users, and review web server logs for POSTs to the Breeze gravatar endpoint from the exploitation window. Confirm no webshell has been planted before declaring the site clean.