file-upload - TrustStrike Labs

vulnerability

CVE-2026-3844

2026-04-23

Attackers actively exploiting critical unauthenticated file upload flaw in Breeze Cache WordPress plugin on 400,000 sites (CVE-2026-3844)

Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.

wordpress breeze-cache cloudways unauthenticated-rce file-upload actively-exploited wordfence

Check: Check every WordPress installation you run or manage (including marketing microsites, staff personal sites on corporate subdomains, and legacy tenant sites) for the Breeze Cache plugin and its version.
Affected: Breeze Cache WordPress plugin versions 2.4.4 and earlier, but only when the 'Host Files Locally - Gravatars' sub-feature has been enabled. CVSS 9.8. Discovered by security researcher Hung Nguyen (bashu). If you do not run that sub-feature the plugin is not currently exploitable via this bug, but the fix should still be applied immediately.
Fix: Update Breeze Cache to version 2.4.5 immediately across every site that uses it. If you cannot update straight away, disable the 'Host Files Locally - Gravatars' option or temporarily deactivate the plugin entirely. After patching, hunt the site's wp-content/uploads/cache directory and similar writable paths for recently-created .php files and files with mismatched MIME types, check for new WordPress admin users, and review web server logs for POSTs to the Breeze gravatar endpoint from the exploitation window. Confirm no webshell has been planted before declaring the site clean.

vulnerability

2026-04-08

Ninja Forms WordPress plugin allows unauthenticated file upload leading to remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.

wordpress ninja-forms file-upload rce unauthenticated web-shell

Check: Check if any of your WordPress sites use the Ninja Forms File Uploads premium add-on. This is a premium extension, not the free Ninja Forms base plugin.
Affected: WordPress sites running the Ninja Forms File Uploads premium add-on (vulnerable versions not yet confirmed in public reporting). The free base Ninja Forms plugin alone is not affected.
Fix: Update the Ninja Forms File Uploads add-on to the latest version immediately. If you can't patch right away, temporarily disable the file upload functionality. Review your web server logs for unexpected file uploads in the Ninja Forms upload directory. Use a WAF rule to block PHP file uploads to Ninja Forms endpoints.