Reports have surfaced indicating that hackers are taking advantage of a severe vulnerability within the Breeze Cache plugin for WordPress. This flaw allows malicious individuals to upload unauthorized files onto a server without the need for authentication.
Known as CVE-2026-3844, this security issue has already been utilized in over 170 hacking attempts, as reported by Wordfence, a prominent security solution for WordPress websites.
With over 400,000 active installations, the Breeze Cache WordPress caching plugin by Cloudways aims to enhance website performance and loading speed by implementing caching, file optimization, and database cleanup techniques.
This critical vulnerability, scoring 9.8 out of 10 in severity, was uncovered by security researcher Hung Nguyen (bashu).
Experts at Defiant, the team behind Wordfence, have identified the root cause of the issue in the ‘fetch_gravatar_from_remote’ function, attributing it to a lack of file-type validation.
Exploiting this flaw allows unauthorized parties to upload arbitrary files, paving the way for remote code execution (RCE) and potential website hijacking.
It’s worth noting that successful exploitation hinges on the activation of the “Host Files Locally – Gravatars” add-on, which is not enabled by default, as highlighted by researchers.
The vulnerability, cataloged as CVE-2026-3844, impacts all versions of Breeze Cache up to 2.4.4. Cloudways swiftly addressed this issue in the latest release, version 2.4.5.
Recent statistics from WordPress.org indicate approximately 138,000 downloads of the updated plugin. However, the exact number of vulnerable websites remains unknown due to the variable state of the “Host Files Locally – Gravatars” setting.
Given the active exploitation of this vulnerability, website owners utilizing Breeze Cache are strongly advised to update to the latest version promptly or temporarily deactivate the plugin.
If immediate updating is not feasible, administrators should disable the “Host Files Locally – Gravatars” feature to mitigate potential risks.
An artificial intelligence (AI) exploit chain has combined four zero-day vulnerabilities, bypassing both renderer and operating system (OS) sandboxes. Stay vigilant for upcoming exploits.
Learn more about autonomous validation at the Autonomous Validation Summit (May 12 & 14) and discover how context-rich validation identifies vulnerabilities, verifies control effectiveness, and closes the loop on remediation.
Secure Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
