Unauthenticated file upload in Breeze Cache hits 400k sites
TL;DR - Breeze Cache <= 2.4.4: no file-type validation in fetch_gravatar_from_remote means unauthenticated attackers can upload arbitrary files when "Host Files Locally - Gravatars" is enabled. CVSS 9.8, actively exploited. Update to 2.4.5 immediately, or disable the feature or the plugin.
What happened
Breeze Cache is a WordPress performance plugin handling page caching, minification, compression, and CDN integration. It runs on over 400,000 sites.
CVE-2026-3844 scores a CVSS 9.8. The fetch_gravatar_from_remote code path accepts remote file content without validating the file type. When the "Host Files Locally - Gravatars" option is on, an unauthenticated attacker can push an arbitrary file - including a PHP webshell - onto the server. The option is off by default, which narrows the population at immediate risk, but Wordfence recorded over 170 distinct attack attempts and blocked 3,936 attacks in a single 24-hour window. This is not theoretical probing.
The pattern is well-worn: unauthenticated file upload plus a PHP-executable upload path equals site takeover. Attackers know the playbook and are already running it.
| Item | Detail |
|---|---|
| CVE | CVE-2026-3844 |
| Vulnerable versions | <= 2.4.4 |
| Fixed version | 2.4.5 |
| Vulnerable code path | fetch_gravatar_from_remote |
| Exploit condition | "Host Files Locally - Gravatars" must be enabled |
| CVSS | 9.8 (Critical) |
Who is impacted
- WordPress sites running
Breeze Cacheversions<= 2.4.4. - Highest risk: any site with "Host Files Locally - Gravatars" enabled - that setting is required for exploitation.
What to do now
- Update
Breeze Cacheto2.4.5or the latest available patched release. - If you cannot patch right now:
- Disable "Host Files Locally - Gravatars" to remove the attack surface, or
- Disable the plugin entirely until you can patch.
- Assume any site that had the gravatar feature enabled and was internet-exposed may already be compromised. Treat it as a webshell and credential exposure event:
- Review web server and WordPress logs for suspicious file upload requests and unexpected POST activity.
- Audit writable directories:
wp-content/uploads/, cache directories, and any plugin-writable paths. Look for unexpected.phpfiles. - Validate integrity of plugin and theme directories.
- Rotate WordPress database credentials, API keys, and any other secrets accessible to the runtime if you have any doubt about the site's state.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.