Skip to main content

Hackers Exploit Breeze Cache Plugin Flaw in WordPress Sites

Laptop screen displays WordPress dashboard in brightly-lit office setting.

CVE-2026-3844 is a critical flaw in the Breeze Cache WordPress plugin that researchers say is being actively exploited, with Wordfence reporting more than 170 attempted exploitations across the WordPress ecosystem.

CVE-2026-3844 and the immediate risk

Researchers at Defiant, the developer of the Wordfence security solution, flagged CVE-2026-3844 as a critical vulnerability with a severity score of 9.8 out of 10. Defiant says the bug permits unauthenticated attackers to upload arbitrary files to servers running vulnerable versions of the Breeze Cache plugin, which can lead to remote code execution (RCE) and complete website takeover when exploited successfully.

How the flaw works: missing validation in fetch_gravatar_from_remote

Defiant’s analysis points to missing file-type validation in the plugin’s fetch_gravatar_from_remote function as the root cause. That absent validation lets an attacker supply and write arbitrary files to the hosting server. The company’s researchers emphasize, however, that successful exploitation requires the “Host Files Locally - Gravatars” add-on to be enabled — a setting that is not enabled by default.

Which versions and installs are affected

CVE-2026-3844 impacts all versions of Breeze Cache up to and including 2.4.4. Cloudways, the plugin’s developer, released a fix in version 2.4.5 earlier this week. Breeze Cache is widely distributed: the plugin has more than 400,000 active installations, and WordPress.org statistics show roughly 138,000 downloads since the release of the latest version. The precise number of sites still vulnerable is unknown because WordPress.org does not report how many sites have the Host Files Locally - Gravatars option enabled.

Detection and response by security teams and the plugin author

The vulnerability was reported by security researcher Hung Nguyen (bashu) and publicly analyzed by Defiant/Wordfence. Defiant’s telemetry identified more than 170 exploitation attempts leveraging the flaw, prompting the emergency release of Breeze Cache 2.4.5 by Cloudways. Given the active exploitation observed by Wordfence, the company’s public guidance — echoed in reporting on the issue — is that site operators should update to the fixed 2.4.5 release as soon as possible or, if an upgrade cannot be performed immediately, disable the plugin.

What this means for website owners, Cloudways, and Wordfence

  • Website owners and administrators: Sites that use Breeze Cache should either upgrade to version 2.4.5 immediately or disable the plugin. If an upgrade is not possible, at minimum administrators should disable the “Host Files Locally - Gravatars” add-on, the setting that enables a fully unauthenticated file upload vector.
  • Cloudways (plugin developer): Cloudways has issued version 2.4.5 to remediate the flaw; the company will be responsible for ensuring the patch is accessible and communicated to the plugin’s large installed base and for monitoring reports of successful exploitation post-release.
  • Defiant and Wordfence (security monitoring): Defiant reported the vulnerability, mapped the underlying bug to fetch_gravatar_from_remote, and has recorded more than 170 exploitation attempts — data that will continue to guide detection signatures and warnings for site operators across the WordPress ecosystem.

The technical fact that exploitation requires a non-default add-on provides a partial mitigation path, but the absence of public telemetry on how many sites enable that add-on leaves a crucial question unanswered: how many of the roughly 400,000 active Breeze Cache installations remain susceptible? Until that gap is closed, the simplest, most certain defenses are the steps flagged by researchers and the plugin author — install Breeze Cache 2.4.5 or disable the plugin, and if an immediate upgrade is impossible, at minimum turn off the “Host Files Locally - Gravatars” feature.

Original story