A critical RCE vulnerability in the Breeze Cache WordPress plugin (CVE-2026-3844) allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function when the “Host Files Locally – Gravatars” add-on is enabled. Cloudways released version 2.4.5 to patch the flaw after Wordfence observed active exploitation attempts, and site owners should update immediately or disable the add-on to mitigate risk. #BreezeCache #CVE-2026-3844
Keypoints
- CVE-2026-3844 is a critical vulnerability in Breeze Cache with a CVSS score of 9.8 affecting versions up to 2.4.4.
- The issue is caused by missing file-type validation in the fetch_gravatar_from_remote function.
- An unauthenticated attacker can upload arbitrary files, potentially leading to remote code execution and full site takeover.
- Cloudways fixed the flaw in Breeze Cache 2.4.5; Wordfence reported over 170 exploitation attempts and download statistics show continued usage.
- Administrators should upgrade to version 2.4.5 immediately or disable the “Host Files Locally – Gravatars” add-on if they cannot patch right away.