Hackers are actively exploiting a vital vulnerability within the Breeze Cache plugin for WordPress that permits importing arbitrary recordsdata on the server with out authentication.
The safety concern is tracked as CVE-2026-3844 and has been leveraged in additional than 170 exploitation makes an attempt by the Wordfence safety answer for the WordPress ecosystem.
The Breeze Cache WordPress caching plugin from Cloudways has greater than 400,000 lively installations and is designed to enhance efficiency and loading pace by lowering web page load frequency by caching, file optimization, and database cleanup.
The vulnerability acquired a vital severity rating of 9.8 out of 10 and was found and reported by safety researcher Hung Nguyen (bashu).
Researchers at WordPress safety firm Defiant, the developer of Wordfence, say that the issue stems from lacking file-type validation within the ‘fetch_gravatar_from_remote’ perform.
This enables an unauthenticated attacker to add arbitrary recordsdata to the server, which may result in distant code execution (RCE) and full web site takeover.
Nevertheless, profitable exploitation is feasible provided that the “Host Recordsdata Regionally – Gravatars” add-on is turned on, which isn’t the default state, the researchers say.
CVE-2026-3844 impacts all Breeze Cache variations as much as and together with 2.4.4. Cloudways fastened the flaw in model 2.4.5, launched earlier this week.
Based on statistics from WordPress.org, the plugin has had roughly 138,000 downloads for the reason that launch of the newest model. It’s unclear what number of web sites are weak, although, as a result of there is no such thing as a knowledge on the quantity which have the Host Recordsdata Regionally – Gravatars enabled.
Given the lively exploitation standing, web site house owners/admins who depend on Breeze Cache to spice up efficiency are really useful to improve to the newest model of the plugin as quickly as doable or quickly disable it.
If upgrading is at the moment not doable, admins ought to not less than disable the “Host Recordsdata Regionally – Gravatars.”
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
