Full Report
Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. [...]
Analysis Summary
# Vulnerability: Unauthenticated Arbitrary File Upload in Breeze Cache Plugin
## CVE Details
- **CVE ID:** CVE-2026-3844
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** Breeze Cache (WordPress plugin by Cloudways)
- **Versions:** Up to and including version 2.4.4
- **Configurations:** Only vulnerable if the **"Host Files Locally - Gravatars"** add-on is enabled (this is not enabled by default).
## Vulnerability Description
The vulnerability exists within the `fetch_gravatar_from_remote` function of the Breeze Cache plugin. The function lacks proper file-type validation when fetching and storing remote images. An unauthenticated attacker can exploit this flaw to upload malicious files (such as PHP scripts) directly to the server. Because the plugin does not verify if the "image" being fetched is actually an image or a script, it can lead to Remote Code Execution (RCE) and full site compromise.
## Exploitation
- **Status:** Exploited in the wild (over 170 attempts recorded by Wordfence); PoC details are public via security researchers.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to server data and database)
- **Integrity:** High (Attacker can modify site content or inject backdoors)
- **Availability:** High (Attacker can delete files or take the site offline)
## Remediation
### Patches
- **Version 2.4.5:** Cloudways released this version to address the flaw by adding necessary file-type validation. Users should update immediately.
### Workarounds
- **Disable Specific Feature:** If an immediate update is not possible, administrators must disable the **"Host Files Locally - Gravatars"** setting within the plugin configuration.
- **Deactivation:** Temporarily deactivate the plugin until it can be updated.
## Detection
- **Indicators of Compromise:** Look for unexpected PHP files or scripts located within the plugin's cache directories or folders associated with Gravatar storage.
- **Detection methods and tools:**
- Use WordPress security scanners (like Wordfence or Sucuri) to check for unauthorized file changes.
- Monitor server access logs for unusual requests directed at the `fetch_gravatar_from_remote` function or associated endpoints.
## References
- **Vendor Advisory:** hXXps[://]wordpress[.]org/plugins/breeze/
- **Defiant/Wordfence Research:** hXXps[://]www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-plugins/breeze/breeze-cache-244-unauthenticated-arbitrary-file-upload-via-fetch-gravatar-from-remote
- **BleepingComputer Article:** hXXps[://]www[.]bleepingcomputer[.]com/news/security/hackers-exploit-file-upload-bug-in-breeze-cache-wordpress-plugin/