🎯Basically, hackers can upload harmful files to websites using a flaw in a popular WordPress plugin.
What Happened
A serious vulnerability has been discovered in the Breeze Cache plugin for WordPress, tracked as CVE-2026-3844. This flaw allows attackers to upload files to a server without needing to log in, putting over 400,000 websites at risk. Security researchers from Wordfence have detected more than 170 attacks exploiting this vulnerability.
The Flaw
The vulnerability stems from missing file type validation in the fetch_gravatar_from_remote function, affecting all versions up to and including 2.4.4. This oversight allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution and complete site takeover. The issue can only be exploited if the "Host Files Locally – Gravatars" option is enabled, which is off by default.
Who's Affected
The flaw impacts users of the Breeze Cache plugin, which is widely used to enhance website performance through caching and optimization features. With over 400,000 installations, the potential for widespread exploitation is significant.
What You Should Do
It is crucial for users of the Breeze Cache plugin to take immediate action: Wordfence reported that they blocked 3,936 attacks targeting this vulnerability in just the past 24 hours, highlighting the urgency of addressing this issue promptly. Failure to act could lead to unauthorized access and control over affected websites.
Containment
- 1.Update to the latest version (2.4.5) to patch the vulnerability.
- 2.If updating isn't possible, consider disabling the plugin temporarily until the update can be applied.
Remediation
🔒 Pro insight: The active exploitation of CVE-2026-3844 indicates a significant uptick in targeted attacks against WordPress plugins, necessitating immediate patching efforts.
