Critical Vulnerability in Breeze Cache Opens Door to File uploads without Authentication and CERs on WordPress

A critical vulnerability in the Breeze Cache plugin for WordPress allows attackers to upload arbitrary files to the server without authentication, and is already being exploited in nature: security researchers have documented active exploitative attempts that indicate automated scanning and targeted attacks against sites that use this caching solution.

The failure, recorded as CVE-2026-3844 and qualified with a 9.8 / 10 is born from a lack of validation of the file type in the function responsible for recovering remote avatars ("fitch _ gravatar _ from _ remote"). This omission can allow a malicious actor to write files on the server - for example a webshell - which in specific scenarios opens the door to remote code execution (CERs) and complete site take. It is important to stress that effective exploitation requires that the "Host Files Locally - Gravatars" option is activated, a configuration that is not enabled by default in many facilities.

Breeze Cache, distributed by Cloudways, is a popular plugin with hundreds of thousands of active facilities, and although the exact number of vulnerable sites depends on how many have the option of hosting local gravatars enabled, the attempts observed by the security community - more than a hundred according to public count - show that attackers actively seek easy vectors to compromise WordPress. Site owners must assume that the risk is real until the correction is applied.

Cloudways released the version 2.4.5 which corrects this problem; versions equal to or prior to 2.4.4 are those affected. The most immediate and effective measure is to apply the plugin update to all affected sites. If you cannot update immediately, temporarily disable the plugin or at least disable the "Host Files Locally - Gravatars" option until I can patch. You can check the technical newsletter and vulnerability details in the Wordfence team's notice, and review plugin statistics in the official WordPress repository to estimate scope in your environment: Wordfence - technical notice and plugin page on WordPress.org.

For managers who manage multiple sites or shared hosting environments, the response should include more than a timely update: immediately inspect the loading directories (wp-content / uploads) and any temporary folder looking for files with suspicious extensions (.php or other unexpected), review the access logs to detect unusual requests to the gravel function and audit changes to recent files. If there are signs of engagement, consider restoring from a clean backup and rotating passwords and API keys; early detection of a webshell can save a complete restoration.

In addition to the immediate response, strengthen the attack surface: apply restrictive file permit policies, limit PHP execution in upload directories, activate a web application firewall (WAF) and consider continuous scanning solutions that alert on suspicious charges or file modifications. The official WordPress hardening guide offers good practices that should be applied as part of a broader security strategy: WordPress Tightening.

Do not underestimate the operational risk: a successful operation may result in data loss, malicious content injection for end-users and sanctions if the site processes sensitive data. If your organization uses Breeze Cache in production environments, coordinate the update in controlled maintenance windows, communicate the action to security officials and monitor intrusion detections within 72 hours of applying the patch.

In short, act already: update to version 2.4.5 where it is available, or disable the functionality of local gravatars until it can park; carry out a search for malicious devices and strengthen access and monitoring policies. The combination of patching, detection and hardening is the only reasonable way to minimize the impact of this kind of vulnerability on the WordPress ecosystem.