Key Findings

• Critical vulnerability (CVE-2026-3844, CVSS 9.8) in Breeze Cache WordPress plugin allows unauthenticated file uploads

• Over 400,000 websites currently affected by the flaw

• Wordfence detected 170+ active attacks, with 3,936 blocked in 24 hours alone

• Vulnerability requires "Host Files Locally – Gravatars" option to be enabled, which is disabled by default

• Affects all versions up to 2.4.4; patch available in version 2.4.5

Background

Breeze Cache is a popular free WordPress plugin developed by Cloudways designed to improve website speed and performance. The plugin handles page and browser caching, file minification, Gzip compression, and CDN integration to reduce load times. Its widespread adoption across over 400,000 websites makes this vulnerability a significant concern for the WordPress ecosystem.

Technical Vulnerability

The flaw exists in the 'fetch_gravatar_from_remote' function and stems from missing file-type validation. This oversight allows unauthenticated attackers to bypass security checks and upload arbitrary files to a server without requiring login credentials. Once files are uploaded, attackers can potentially achieve remote code execution and gain full control of affected websites.

Security researcher Hung Nguyen discovered the vulnerability. According to Wordfence's analysis, exploitation is only possible when the "Host Files Locally – Gravatars" feature is explicitly enabled, limiting the number of vulnerable installations despite the large user base.

Active Exploitation

Threat actors are actively exploiting this vulnerability in the wild. Wordfence's security team has documented over 170 attack attempts leveraging CVE-2026-3844. Attack activity has accelerated significantly, with the security firm blocking 3,936 individual attacks targeting this flaw within just a single 24-hour period.

Recommended Response

Website administrators using Breeze Cache should prioritize updating to version 2.4.5 immediately. Those unable to update quickly should consider temporarily disabling the plugin to prevent exploitation. Given the active attack campaigns and the ease of exploitation, prompt action is essential to protect affected websites from compromise.

Sources

• https://securityaffairs.com/191267/uncategorized/over-400000-sites-at-risk-as-hackers-exploit-breeze-cache-plugin-flaw-cve-2026-3844.html

• https://www.socdefenders.ai/item/19a488b8-7440-4de3-bb43-84891abbac29

• https://x.com/shah_sheikh/status/2048054490490880304

• https://x.com/securityaffairs/status/2048045147263287708

• https://www.linkedin.com/posts/dlross_over-400000-sites-at-risk-as-hackers-exploit-activity-7453997535578480640-oXxG