CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated arbitrary file upload flaw in Breeze Cache WordPress plugin leads to RCE

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Unauthenticated attackers are actively exploiting a critical file upload vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin (400,000+ active installations) to upload arbitrary files and achieve remote code execution (RCE) on affected servers. Exploitation requires the optional "Host Files Locally - Gravatars" add-on to be enabled, which is disabled by default. The flaw stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function and has a CVSS score of 9.8. Cloudways issued a patch in version 2.4.5, but over 138,000 downloads of the latest version suggest widespread exposure.

Timeline

  1. 24.04.2026 00:33 1 articles · 2h ago

    Critical unauthenticated arbitrary file upload vulnerability in Breeze Cache plugin patched

    Cloudways released patched version 2.4.5 of the Breeze Cache WordPress plugin to address CVE-2026-3844, a critical file upload flaw (CVSS 9.8) discovered in the ‘fetch_gravatar_from_remote’ function. The vulnerability permitted unauthenticated attackers to upload arbitrary files and achieve remote code execution (RCE) only when the optional "Host Files Locally - Gravatars" add-on was enabled. Over 170 exploitation attempts were detected prior to patching.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-3844 is a critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin (versions <= 2.4.4) enabling arbitrary file uploads via the ‘fetch_gravatar_from_remote’ function.

    First reported: 24.04.2026 00:33
    1 source, 1 article
    Show sources

  • Exploitation requires the "Host Files Locally - Gravatars" add-on to be enabled, which is not enabled by default, limiting default exposure but not eliminating risk for admins who enabled it.

    First reported: 24.04.2026 00:33
    1 source, 1 article
    Show sources

  • Successful exploitation can lead to remote code execution (RCE) and full website takeover, with over 170 exploitation attempts detected by Wordfence.

    First reported: 24.04.2026 00:33
    1 source, 1 article
    Show sources

  • Cloudways released patched version 2.4.5 to address the vulnerability; users are advised to upgrade immediately or disable the plugin if immediate patching is not feasible.

    First reported: 24.04.2026 00:33
    1 source, 1 article
    Show sources