it

Hackers exploit file upload bug in Breeze Cache WordPress plugin

Published: (April 23, 2026 at 05:33 PM EDT)
2 min read
Source: Bleeping Computer

Source: Bleeping Computer

Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication.

The security issue is tracked as CVE‑2026‑3844 and has been leveraged in more than 170 exploitation attempts detected by the Wordfence security solution for the WordPress ecosystem.

The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup.

Vulnerability Details

Researchers at WordPress security company Defiant, the developer of Wordfence, say that the problem stems from missing file‑type validation in the fetch_gravatar_from_remote function. This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover.

Successful exploitation is possible only if the “Host Files Locally – Gravatars” add‑on is turned on, which is not the default state, according to the Wordfence advisory.

The vulnerability received a critical severity score of 9.8/10 and was discovered and reported by security researcher Hung Nguyen (bashu).

Affected Versions and Fix

  • Affected: All Breeze Cache versions up to and including 2.4.4.
  • Fixed: Cloudways released version 2.4.5, which patches the flaw. The update was made available earlier this week.

According to statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the release of the latest version. The exact number of vulnerable sites is unknown because there is no data on how many have the “Host Files Locally – Gravatars” feature enabled.

Recommendations

  • Upgrade immediately to Breeze Cache version 2.4.5 or later.
  • If upgrading is not possible, disable the “Host Files Locally – Gravatars” add‑on to mitigate the risk.
  • Monitor your site for any suspicious activity and ensure that Wordfence (or another security plugin) is up to date to detect exploitation attempts.
0 views
#WordPress #Breeze Cache #CVE-2026-3844 #file upload vulnerability #plugin security #Wordfence #cybersecurity
View source
Share:
Back to Blog

Related posts

Read more »

Hiding Bluetooth Trackers in Mail

It was used to trackhttps://www.tomshardware.com/tech-industry/cyber-security/bluetooth-tracker-hidden-in-a-postcard-and-mailed-to-a-warship-exposed-its-locatio...