Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: wordfence (2 articles)Clear

Three WordPress plugins under active exploitation: Funnel Builder, Avada Builder, and Burst Statistics (1.2M+ sites at risk)

Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.

Check
Inventory WordPress sites you operate or manage for clients; check installed versions of Funnel Builder, Avada Builder (and the Avada theme), and Burst Statistics; pull web access logs for the affected checkout and Fusion shortcode endpoints.
Affected
WordPress sites running Funnel Builder before the latest patch, Avada Builder up to 3.15.2 (1M sites bundled with the Avada theme), and Burst Statistics 3.4.0 or 3.4.1 (200K sites). WooCommerce checkout integrations face highest impact.
Fix
Update Avada Builder to 3.15.3 (released May 12), update Burst Statistics to the patched release, apply the Funnel Builder fix, then rotate WordPress salts and database passwords on any site that ran a vulnerable Avada Builder version.

Attackers actively exploiting critical unauthenticated file upload flaw in Breeze Cache WordPress plugin on 400,000 sites (CVE-2026-3844)

Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.

Check
Check every WordPress installation you run or manage (including marketing microsites, staff personal sites on corporate subdomains, and legacy tenant sites) for the Breeze Cache plugin and its version.
Affected
Breeze Cache WordPress plugin versions 2.4.4 and earlier, but only when the 'Host Files Locally - Gravatars' sub-feature has been enabled. CVSS 9.8. Discovered by security researcher Hung Nguyen (bashu). If you do not run that sub-feature the plugin is not currently exploitable via this bug, but the fix should still be applied immediately.
Fix
Update Breeze Cache to version 2.4.5 immediately across every site that uses it. If you cannot update straight away, disable the 'Host Files Locally - Gravatars' option or temporarily deactivate the plugin entirely. After patching, hunt the site's wp-content/uploads/cache directory and similar writable paths for recently-created .php files and files with mismatched MIME types, check for new WordPress admin users, and review web server logs for POSTs to the Breeze gravatar endpoint from the exploitation window. Confirm no webshell has been planted before declaring the site clean.