CVE-2026-3844 is an arbitrary file upload vulnerability in the Breeze Cache plugin for WordPress. The flaw lives in the The function fetches Gravatar images from a remote URL and stores them locally in the WordPress uploads directory. It does not validate the file type or content of what it downloads. An attacker who controls the source URL can have the server fetch a PHP webshell instead of an image. The file lands in a location where PHP execution is allowed.<\/p>\n\n\n\n The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). No authentication or user interaction is required. The only precondition is that the “Host Files Locally – Gravatars” option must be enabled in the plugin settings. That option is disabled by default.<\/p>\n\n\n\n Active exploitation has been observed in the wild. Public threat telemetry has reported thousands of attack attempts in the days following disclosure. Exploitation is unauthenticated and network-based, which puts it at the easiest end of the spectrum.<\/p>\n\n\n\n The vulnerability affects the Breeze Cache plugin in all versions up to and including 2.4.4. Breeze is developed by Cloudways and has more than 400,000 active WordPress installations. It is used to speed up WordPress sites through caching, file optimization, and database cleanup.<\/p>\n\n\n\n In practice, an affected asset is an internet-facing WordPress site running Breeze with local Gravatar hosting enabled. WordPress sites are almost always exposed to the public internet. The Breeze plugin runs as part of the standard WordPress request lifecycle, so the vulnerable endpoint is reachable from anywhere.<\/p>\n\n\n\n The CPE strings observed in the affected asset set show two variants. Some assets carry the These sites also tend to be high-leverage targets. A successful upload places a webshell on a public-facing host. From there, an attacker can pivot into the WordPress database, harvest credentials, and use the site to host further payloads.<\/p>\n\n\n\n Yes. Cloudways released Breeze Cache version 2.4.5, which fixes the issue. Site owners running Breeze should upgrade to 2.4.5 or later as the primary action.<\/p>\n\n\n\n If an immediate upgrade is not possible, the published interim mitigation is to disable the “Host Files Locally – Gravatars” option in the Breeze settings. Disabling the feature blocks the vulnerable code path. Disabling Breeze entirely is also a viable temporary measure.<\/p>\n\n\n\n Defenders should treat this as time-sensitive. Active exploitation is already in progress, and the exploit needs no credentials. Verify the plugin version directly on each WordPress site, and confirm the setting state on the host. A central inventory may not track plugin configuration.<\/p>\n\n\n\nfetch_gravatar_from_remote<\/code> function inside class-breeze-cache-cronjobs.php<\/code>.<\/p>\n\n\n\nWhat assets are affected by CVE-2026-3844?<\/h2>\n\n\n\n
wordpress_plugin:breeze<\/code> CPE without an explicit version. Others identify as the Cloudways-managed cloudways:breeze<\/code> build at version 2.1.4. Both are below the patched 2.4.5 release.<\/p>\n\n\n\nAre fixes available?<\/h2>\n\n\n\n
Are there any other recommended actions to take?<\/h2>\n\n\n\n