Hackers Exploit Critical File Upload Flaw in Breeze Cache WordPress Plugin
6 min. read 
Published on
Hackers are actively exploiting a critical vulnerability in the Breeze Cache WordPress plugin that can let unauthenticated attackers upload arbitrary files to vulnerable websites. The flaw, tracked as CVE-2026-3844, affects Breeze Cache versions up to and including 2.4.4 and was fixed in version 2.4.5.
Breeze Cache, developed by Cloudways, is a popular WordPress caching plugin used to improve site performance through caching, file optimization, database cleanup, and related speed features. Wordfence lists the issue as critical with a CVSS score of 9.8, and BleepingComputer reports that Wordfence has already blocked more than 170 exploitation attempts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The vulnerability only becomes exploitable when the “Host Files Locally – Gravatars” option is enabled, which is not the default setting. Still, websites that use this feature should treat the risk as urgent because arbitrary file upload flaws can lead to remote code execution and full site takeover.
What CVE-2026-3844 does
CVE-2026-3844 is caused by missing file type validation in the fetch_gravatar_from_remote function. That function is tied to the plugin’s local Gravatar hosting feature, which can store avatar files locally instead of loading them remotely.
Because the vulnerable code does not properly validate uploaded file types, an attacker can send crafted requests that place arbitrary files on the server. If the uploaded file is executable, such as a PHP web shell, the attacker may gain remote command execution on the site.
That makes this more serious than a normal plugin bug. A successful exploit can give attackers control over the WordPress installation, allow them to modify site files, add backdoors, inject spam or malware, steal data, or use the server for more attacks.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-3844 |
| Plugin | Breeze Cache for WordPress |
| Developer | Cloudways |
| Affected versions | Up to and including 2.4.4 |
| Fixed version | 2.4.5 |
| Severity | Critical |
| CVSS score | 9.8 |
| Vulnerability type | Unauthenticated arbitrary file upload |
| Vulnerable function | fetch_gravatar_from_remote |
| Required setting | “Host Files Locally – Gravatars” enabled |
| Default setting | Disabled |
| Main risk | Remote code execution and site takeover |
| Exploitation status | Actively exploited |
Why this flaw is being exploited
WordPress plugin vulnerabilities can become attractive quickly when the plugin has a large install base. Breeze Cache has hundreds of thousands of active installations, which gives attackers a broad target pool even if only a smaller share of sites enabled the vulnerable Gravatar option.
Attackers often scan the internet for vulnerable WordPress sites and then try the same exploit across many targets. Patchstack warns that flaws like this are commonly used in mass-exploitation campaigns because attackers can hit thousands of sites regardless of traffic size or brand value.
For website owners, the danger is not only defacement. Attackers can upload backdoors, create rogue admin accounts, redirect visitors, inject malicious ads, plant SEO spam, or use the server to host phishing pages.
What Cloudways fixed
Cloudways fixed the vulnerability in Breeze Cache 2.4.5. Site administrators should update to that version immediately through the WordPress dashboard or by downloading the latest plugin release through official channels.
The flaw was discovered and reported by security researcher Hung Nguyen, also known as bashu, according to Wordfence’s vulnerability entry.
WordPress.org download statistics cited by BleepingComputer showed roughly 138,000 downloads after the fixed version became available. That number suggests many administrators moved quickly, but it does not show exactly how many vulnerable sites remain exposed.
What site owners should do now
- Update Breeze Cache to version 2.4.5 or later.
- Disable “Host Files Locally – Gravatars” if you cannot update immediately.
- Review the site’s uploads and plugin directories for unfamiliar files.
- Search for unknown PHP files in writable directories.
- Check WordPress admin users for suspicious accounts.
- Review recent file changes, especially around the time exploitation attempts began.
- Rotate WordPress admin, hosting, FTP, SFTP, and database passwords if compromise is suspected.
- Restore from a clean backup if you find evidence of uploaded malware.
- Add a web application firewall rule that blocks suspicious upload attempts.
Why disabling the Gravatar feature helps
The vulnerability requires the “Host Files Locally – Gravatars” option to be enabled. If an administrator cannot update the plugin immediately, turning off that feature reduces exposure while they prepare the proper patch.
This should only be a temporary step. Updating remains the correct fix because plugin code may contain other security or stability changes, and attackers may continue probing for unpatched installations.
Administrators should also clear caches after updating. This helps avoid stale plugin behavior and ensures the site runs the patched code.
How to check for possible compromise
Website owners should treat unusual new files as a warning sign. Attackers who exploit file upload bugs often place web shells with harmless-looking names, image-like extensions, or files hidden in upload folders.
Check for recently created PHP files in wp-content/uploads, plugin directories, cache directories, and other writable paths. Also review server logs for requests to unusual file names, repeated POST requests, or activity around the vulnerable Gravatar feature.
A clean update does not automatically remove a backdoor if attackers already uploaded one. If the site behaved strangely, redirected visitors, showed unknown ads, or created new admin users, perform a full incident review.
Why WordPress plugin security needs fast patching
Caching plugins sit close to site performance and file handling, so many website owners install them and leave them running for years. That makes timely updates important.
WordPress security incidents often start with a plugin flaw, not the WordPress core itself. Attackers know this and monitor vulnerability databases, patch releases, and public writeups for bugs that can turn into mass scans.
For business sites, the safest approach is to keep automatic updates enabled for trusted plugins, maintain clean backups, limit administrator accounts, and remove plugins that are no longer needed.
FAQ
CVE-2026-3844 is a critical arbitrary file upload vulnerability in the Breeze Cache WordPress plugin. It can allow unauthenticated attackers to upload files to a vulnerable server when the local Gravatar hosting feature is enabled.
All Breeze Cache versions up to and including 2.4.4 are affected. Version 2.4.5 contains the fix.
Yes. BleepingComputer reports that Wordfence has blocked more than 170 exploitation attempts targeting the flaw.
No. The vulnerability can only be exploited if “Host Files Locally – Gravatars” is enabled. That feature is disabled by default, but any site using it should update immediately.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages