Breeze Cache WordPress Plugin File Upload Exploit

Breeze Cache File Upload Flaw Under Active Exploitation

A critical file upload vulnerability in the Breeze Cache WordPress plugin is being actively exploited in the wild. Tracked as CVE-2026-3844, the flaw scores a 9.8 out of 10 on the CVSS scale and allows unauthenticated attackers to upload arbitrary files to any affected server. Wordfence has already logged more than 170 exploitation attempts. With over 400,000 active installations of Breeze Cache, a caching plugin built by Cloudways, the attack surface is significant.

Security researcher Hung Nguyen (bashu) discovered and reported the vulnerability. Cloudways pushed a fix in version 2.4.5 earlier this week.

How the CVE-2026-3844 Vulnerability Works

The root cause is missing file-type validation inside the fetch_gravatar_from_remote function. When the "Host Files Locally - Gravatars" add-on is enabled, this function fetches remote Gravatar images and stores them locally. Because there is no check on what file type is actually being uploaded, an attacker can send a request that deposits a malicious file, such as a PHP web shell, directly onto the server.

No authentication is required. The attacker does not need an account, elevated privileges, or any prior foothold. A single HTTP request is enough to drop executable code on the server.

One important constraint: exploitation only works if the "Host Files Locally - Gravatars" feature is switched on. This is not the default configuration. But given that Wordfence has already observed hundreds of attempts, some production sites clearly have this option enabled.

What Developers and Site Owners Are Risking

Successful exploitation leads to remote code execution and full website takeover. Once an attacker has a working web shell on your server, they can read database credentials, exfiltrate user data, pivot to other hosted applications, or enroll the server into a botnet.

WordPress.org data shows approximately 138,000 downloads since version 2.4.5 shipped. That leaves a large but unquantifiable number of sites still running 2.4.4 or earlier. Sites with the Gravatars add-on enabled are immediately vulnerable. Sites without it are protected from this specific attack path, but the underlying code defect still exists until they patch.

The broader risk here is a pattern that repeats constantly in WordPress plugin security: a single unvalidated input in a trusted plugin hands attackers a direct route to server-level access.

How to Fix the Breeze Cache Vulnerability

The remediation steps are straightforward and should be treated as urgent.

• Update immediately. Upgrade Breeze Cache to version 2.4.5 or later. This is the only complete fix.
• Disable the add-on as a stopgap. If upgrading is not immediately possible, go to the plugin settings and disable "Host Files Locally - Gravatars." This removes the exploitable code path.
• Audit your uploads directory. If your site has been running the vulnerable configuration, check for unexpected PHP files in your WordPress uploads folder. Look for files with extensions like .php, .phtml, or .php7 that do not belong there.
• Review server logs. Search for unusual POST requests targeting the Gravatar-related endpoints around and before the patch date.
• Run an automated scan. Tools like VibeWShield can detect exposed upload endpoints and unauthenticated file write vectors before attackers find them.

For ongoing coverage of WordPress plugin vulnerabilities and patch advisories, check the VibeWShield blog.

FAQ

Does CVE-2026-3844 affect every Breeze Cache installation? Only installations running version 2.4.4 or earlier with the "Host Files Locally - Gravatars" add-on enabled are directly exploitable. Sites without that add-on active are not vulnerable to this specific attack, but should still patch because the underlying code defect exists in the plugin regardless.

What should I do if I cannot update Breeze Cache right now? Disable the "Host Files Locally - Gravatars" add-on immediately. This removes the vulnerable code path without requiring a full plugin update. Schedule the update to 2.4.5 as soon as your maintenance window allows.

How can I tell if my site has already been compromised? Check your WordPress uploads directory and any writable paths for unexpected PHP files. Review your web server access logs for unusual POST requests to Breeze Cache endpoints. A file integrity monitor or an external DAST scan can help surface indicators of compromise that are easy to miss manually.

Scan your WordPress site for file upload vulnerabilities and unauthenticated attack vectors with VibeWShield.