A file upload flaw in the Breeze Cache plugin (CVE-2026-3844) is being exploited in the wild. Upgrade or disable a specific add-on to reduce risk.
Cybercriminals are actively exploiting a critical vulnerability in the Breeze Cache WordPress plugin, using it to upload files to compromised servers without authentication.
Misryoum first flagged the issue as a reminder that “performance” plugins can become a security risk when a weakness slips through. The flaw is tracked as CVE-2026-3844 and has already been observed in more than 170 exploitation attempts in the WordPress ecosystem.
The plugin—popular among site owners for speeding up pages—is built to improve load times through caching. file optimization. and database cleanup.. Breeze Cache is offered by Cloudways and has more than 400. 000 active installations. meaning the impact of a security event like this can ripple far beyond a single website.
According to Defiant, the developer behind the Wordfence security platform, the vulnerability is caused by missing file-type validation in the plugin’s ‘fetch_gravatar_from_remote’ function. In practical terms, the weakness allows an unauthenticated attacker to upload arbitrary files to the server.
That type of access is dangerous because it can set the stage for remote code execution (RCE)—the kind of breakthrough that turns a breach into a full website takeover.. The vulnerability carries a critical severity score of 9.8 out of 10. reflecting how close it may bring attackers to total compromise when conditions align.
Here’s the part many site owners need to understand: successful exploitation appears to depend on a specific configuration.. Researchers say exploitation is possible only if the “Host Files Locally – Gravatars” add-on is enabled. and it’s not the default state.. In other words. not every Breeze Cache installation is equally exposed—but attackers are clearly trying to find those that are.
CVE-2026-3844 affects all Breeze Cache versions up to and including 2.4.4.. Cloudways has fixed the issue in version 2.4.5, released earlier this week, so the safest path is straightforward: update.. If you can’t upgrade immediately, temporary containment matters—Defiant recommends disabling the “Host Files Locally – Gravatars” add-on.
Misryoum also notes the scale of the plugin’s footprint when thinking about urgency.. While WordPress.org download history shows roughly 138. 000 downloads since the latest release. that doesn’t directly reveal how many sites have the risky add-on enabled.. The missing visibility is exactly where real-world risk hides. because admins may not know what feature combinations are turned on across their environment.
From a defender’s perspective. this incident is a useful snapshot of modern WordPress attacks: attackers don’t just target login forms or brute-force passwords.. They look for features that process uploads. fetch remote content. or handle file-related workflows—places where validation gaps can turn convenience features into takeover paths.
For owners and operators. the immediate checklist is simple but time-sensitive: upgrade Breeze Cache to 2.4.5. confirm the add-on is disabled if you’re temporarily staying on an older version. and review recent server changes if you suspect suspicious behavior.. When exploitation is already active, waiting for “more information” can be the most expensive delay.