Critical vulnerability in WordPress Breeze Cache plugin exploited

Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress, allowing for unauthenticated arbitrary file uploads. This security issue, tracked as CVE-2026-3844, has been observed in over 170 exploitation attempts. The Breeze Cache plugin, used by more than 400,000 active installations, is designed to enhance website performance through caching and optimization, as reported by Bleeping Computer.

The vulnerability, with a critical severity score of 9.8 out of 10, stems from a missing file-type validation in the "fetch_gravatar_from_remote" function. This flaw enables unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution and complete website takeover. However, successful exploitation requires the "Host Files Locally - Gravatars" add-on to be enabled, which is not the default setting. The vulnerability affects all Breeze Cache versions up to and including 2.4.4, with a fix released in version 2.4.5.

Given the active exploitation, website administrators using the Breeze Cache plugin are strongly advised to upgrade to version 2.4.5 immediately or, at a minimum, disable the "Host Files Locally - Gravatars" feature if an upgrade is not immediately feasible.

Source: Bleeping Computer