Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows attackers to upload arbitrary files to a server without authentication.
The security flaw is tracked as CVE-2026-3844 and has already been used in more than 170 attack attempts detected by Wordfence.
Breeze Cache, developed by Cloudways, has more than 400,000 active installations. The plugin is designed to improve website speed and performance through page caching, file optimization, and database cleanup.
The vulnerability received a critical severity score of 9.8 out of 10 and was discovered by security researcher Hung Nguyen.
Researchers at Defiant said the issue is caused by missing file-type validation in the plugin’s fetch_gravatar_from_remote function.
Because of this weakness, an unauthenticated attacker can upload malicious files to the server, potentially leading to remote code execution and full website takeover.
However, successful exploitation only works when the “Host Files Locally – Gravatars” add-on is enabled. Researchers noted that this feature is turned off by default.
The flaw affects all Breeze Cache versions up to and including 2.4.4. Cloudways fixed the problem in version 2.4.5, which was released earlier this week.
According to data from WordPress.org, the updated version has already seen around 138,000 downloads since its release. It remains unclear how many websites are still vulnerable because no public data shows how many users enabled the Gravatar hosting feature.
Because attacks are already happening, website owners and administrators using Breeze Cache are strongly advised to update to version 2.4.5 immediately or temporarily disable the plugin.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
If updating is not possible right away, admins should at least turn off the “Host Files Locally – Gravatars” setting.
