Hackers are actively exploiting a essential vulnerability within the Breeze Cache plugin for WordPress that permits importing arbitrary information at the server with out authentication.
The protection factor is tracked as CVE-2026-3844 and has been leveraged in additional than 170 exploitation makes an attempt through the Wordfence safety resolution for the WordPress ecosystem.
The Breeze Cache WordPress caching plugin from Cloudways has greater than 400,000 lively installations and is designed to toughen efficiency and loading pace through decreasing web page load frequency thru caching, dossier optimization, and database cleanup.
The vulnerability gained a essential severity ranking of 9.8 out of 10 and was once found out and reported through safety researcher Hung Nguyen (bashu).
Researchers at WordPress safety corporate Defiant, the developer of Wordfence, say that the issue stems from lacking file-type validation within the ‘fetch_gravatar_from_remote’ serve as.
This permits an unauthenticated attacker to add arbitrary information to the server, which may end up in far off code execution (RCE) and entire web page takeover.
Then again, a success exploitation is imaginable provided that the “Host Information In the community – Gravatars” add-on is grew to become on, which isn’t the default state, the researchers say.
CVE-2026-3844 impacts all Breeze Cache variations as much as and together with 2.4.4. Cloudways mounted the flaw in model 2.4.5, launched previous this week.
In step with statistics from WordPress.org, the plugin has had more or less 138,000 downloads for the reason that unencumber of the most recent model. It’s unclear what number of web sites are susceptible, although, as a result of there’s no knowledge at the quantity that experience the Host Information In the community – Gravatars enabled.
Given the lively exploitation standing, web page house owners/admins who depend on Breeze Cache to spice up efficiency are advisable to improve to the most recent model of the plugin once imaginable or briefly disable it.
If upgrading is lately now not imaginable, admins will have to a minimum of disable the “Host Information In the community – Gravatars.”
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Self sufficient Validation Summit (Might 12 & 14), see how self sustaining, context-rich validation unearths what is exploitable, proves controls dangle, and closes the remediation loop.
Declare Your Spot
