Hackers are actively exploiting a essential vulnerability within the Breeze Cache plugin for WordPress that permits importing arbitrary recordsdata on the server with out authentication.
The safety subject is tracked as CVE-2026-3844 and has been leveraged in additional than 170 exploitation makes an attempt by the Wordfence safety resolution for the WordPress ecosystem.
The Breeze Cache WordPress caching plugin from Cloudways has greater than 400,000 energetic installations and is designed to enhance efficiency and loading pace by decreasing web page load frequency by means of caching, file optimization, and database cleanup.
The vulnerability obtained a essential severity rating of 9.8 out of 10 and was found and reported by safety researcher Hung Nguyen (bashu).
Researchers at WordPress safety firm Defiant, the developer of Wordfence, say that the issue stems from lacking file-type validation within the ‘fetch_gravatar_from_remote’ operate.
This enables an unauthenticated attacker to add arbitrary recordsdata to the server, which may result in distant code execution (RCE) and full web site takeover.
Nonetheless, profitable exploitation is feasible provided that the “Host Information Regionally – Gravatars” add-on is turned on, which isn’t the default state, the researchers say.
CVE-2026-3844 impacts all Breeze Cache variations as much as and together with 2.4.4. Cloudways mounted the flaw in model 2.4.5, launched earlier this week.
Based on statistics from WordPress.org, the plugin has had roughly 138,000 downloads for the reason that launch of the newest model. It’s unclear what number of web sites are weak, although, as a result of there isn’t any knowledge on the quantity which have the Host Information Regionally – Gravatars enabled.
Given the energetic exploitation standing, web site house owners/admins who depend on Breeze Cache to spice up efficiency are really useful to improve to the newest model of the plugin as quickly as potential or briefly disable it.
If upgrading is at the moment not potential, admins ought to at the least disable the “Host Information Regionally – Gravatars.”
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
