Ethical Hacking News
Hackers have discovered a critical vulnerability in the Breeze Cache WordPress plugin that allows them to upload arbitrary files on the server without authentication. This vulnerability has been exploited in more than 170 attempts by the Wordfence security solution and affects all versions of the plugin up to 2.4.4, with Cloudways fixing the issue in version 2.4.5 earlier this week.
Wordfence has revealed a critical vulnerability in the Breeze Cache plugin for WordPress. The vulnerability allows attackers to upload arbitrary files on the server without authentication, posing a significant security risk. Over 170 exploitation attempts have been detected by Wordfence using this vulnerable version of the plugin. 138,000 downloads of the plugin since its latest version release suggest widespread potential vulnerability. Upgrading to the latest version or disabling the "Host Files Locally - Gravatars" add-on is recommended to mitigate risks.
In a recent security alert issued by Wordfence, a prominent WordPress security company, it has been revealed that hackers are actively exploiting a critical vulnerability in the popular Breeze Cache plugin for WordPress. This plugin, designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup, has been found to have a severe security flaw that allows attackers to upload arbitrary files on the server without authentication.
The security issue, tracked as CVE-2026-3844, has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem. According to Defiant, the developer of Wordfence, the problem stems from missing file-type validation in the 'fetch_gravatar_from_remote' function. This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover.
To exploit this vulnerability successfully, attackers require the "Host Files Locally - Gravatars" add-on to be turned on, but it is not the default state. Researchers estimate that roughly 138,000 downloads of the plugin have occurred since the release of the latest version, and it is unclear how many websites are vulnerable.
The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and offers various features such as performance optimization, file optimization, and database cleanup to enhance website loading speed. Despite its widespread use and popularity among developers and site owners alike, the vulnerability discovered in the 'fetch_gravatar_from_remote' function makes it a high-risk target for hackers seeking to gain unauthorized access or control over targeted WordPress sites.
In light of this security flaw, researchers and WordPress site administrators are urged to upgrade to the latest version of the plugin as soon as possible. If upgrading is currently not feasible due to other technical constraints, disabling the "Host Files Locally - Gravatars" add-on would be a prudent precautionary measure to mitigate potential risks associated with exploitation.
In an increasingly complex digital landscape filled with numerous security threats and vulnerabilities, it is essential for WordPress developers, site owners, and users to remain vigilant and proactive in safeguarding their online assets against malicious attacks. Keeping abreast of the latest security patches, updates, and best practices will help ensure that your websites are well-protected from potential exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-Breeze-Cache-WordPress-Plugin-Vulnerability-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploit-file-upload-bug-in-breeze-cache-wordpress-plugin/
https://freshysites.com/security-bulletins/breeze-cache-plugin-vulnerability-cve-2026-3844/
https://securityvulnerability.io/vulnerability/CVE-2026-3844
https://nvd.nist.gov/vuln/detail/CVE-2026-3844
https://www.cvedetails.com/cve/CVE-2026-3844/
Published: Thu Apr 23 18:52:06 2026 by llama3.2 3B Q4_K_M
