Hackers exploit file upload bug in Breeze Cache WordPress plugin
Critical file upload vulnerability in Breeze Cache WordPress plugin actively exploited in 170+ attacks.
Summary
A critical vulnerability (CVE-2026-3844, CVSS 9.8) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files and achieve remote code execution. The flaw affects versions up to 2.4.4 and stems from missing file-type validation in the 'fetch_gravatar_from_remote' function when the "Host Files Locally - Gravatars" add-on is enabled. Cloudways released a patch in version 2.4.5, but active exploitation has already been detected in over 170 attempts.
Full text
Hackers exploit file upload bug in Breeze Cache WordPress plugin By Bill Toulas April 23, 2026 05:33 PM 0 Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. The security issue is tracked as CVE-2026-3844 and has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem. The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup. The vulnerability received a critical severity score of 9.8 out of 10 and was discovered and reported by security researcher Hung Nguyen (bashu). Researchers at WordPress security company Defiant, the developer of Wordfence, say that the problem stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function. This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover. However, successful exploitation is possible only if the “Host Files Locally - Gravatars” add-on is turned on, which is not the default state, the researchers say. CVE-2026-3844 affects all Breeze Cache versions up to and including 2.4.4. Cloudways fixed the flaw in version 2.4.5, released earlier this week. According to statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the release of the latest version. It is unclear how many websites are vulnerable, though, because there is no data on the number that have the Host Files Locally - Gravatars enabled. Given the active exploitation status, website owners/admins who rely on Breeze Cache to boost performance are recommended to upgrade to the latest version of the plugin as soon as possible or temporarily disable it. If upgrading is currently not possible, admins should at least disable the “Host Files Locally - Gravatars.” 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Hackers exploit critical flaw in Ninja Forms WordPress pluginAdobe rolls out emergency fix for Acrobat, Reader zero-day flawCritical Marimo pre-auth RCE flaw now under active exploitationMax severity Flowise RCE vulnerability now exploited in attacksCritical Fortinet Forticlient EMS flaw now exploited in attacks
Indicators of Compromise
- cve — CVE-2026-3844