Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication.
The security issue is tracked as CVE-2026-3844 and has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem.
The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup.
The vulnerability received a critical severity score of 9.8 out of 10 and was discovered and reported by security researcher Hung Nguyen (bashu).
Researchers at WordPress security company Defiant, the developer of Wordfence, say that the problem stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function.
This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover.
However, successful exploitation is possible only if the “Host Files Locally – Gravatars” add-on is turned on, which is not the default state, the researchers say.
CVE-2026-3844 affects all Breeze Cache versions up to and including 2.4.4. Cloudways fixed the flaw in version 2.4.5, released earlier this week.
According to statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the release of the latest version. It is unclear how many websites are vulnerable, though, because there is no data on the number that have the Host Files Locally – Gravatars enabled.
Given the active exploitation status, website owners/admins who rely on Breeze Cache to boost performance are recommended to upgrade to the latest version of the plugin as soon as possible or temporarily disable it.
If upgrading is currently not possible, admins should at least disable the “Host Files Locally – Gravatars.”
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
