Active Exploitation Underway Against Popular WordPress Caching Plugin
Threat actors are actively targeting a critical security flaw in Breeze Cache, a widely used caching plugin for WordPress developed by Cloudways. The vulnerability, tracked as CVE-2026-3844, permits unauthenticated attackers to upload arbitrary files to an affected server — a capability that can rapidly escalate to full website compromise.
Researchers at Defiant, the WordPress security company behind the Wordfence security solution, have recorded more than 170 exploitation attempts against the flaw. The finding was originally discovered and responsibly reported by security researcher Hung Nguyen, who operates under the handle bashu.
What Is Breeze Cache and Who Is at Risk?
Breeze Cache is a performance-oriented WordPress plugin from Cloudways that improves page load times through caching, file optimization, and database cleanup routines. The plugin currently boasts more than 400,000 active installations, making the scope of potential exposure considerable.
The vulnerability carries a critical severity score of 9.8 out of 10, reflecting how easily it can be exploited and how damaging the consequences can be. Every version of Breeze Cache up to and including 2.4.4 is affected. Cloudways addressed the issue in version 2.4.5, which was released earlier this week.
WordPress.org statistics indicate that the plugin has received approximately 138,000 downloads since version 2.4.5 became available, though the exact number of still-vulnerable installations remains unknown.
Technical Root Cause: Missing File-Type Validation
According to Defiant researchers, the flaw originates from a lack of file-type validation within the plugin's fetch_gravatar_from_remote function. Because no checks are performed on the type of file being submitted, an unauthenticated attacker can upload malicious files — including web shells — directly to the server.
If successfully exploited, this weakness can lead to:
- Remote Code Execution (RCE) — allowing attackers to run arbitrary commands on the underlying server
- Complete website takeover — granting full administrative control over the compromised WordPress installation
- Potential lateral movement into other hosted environments or databases
A Key Condition Limits — But Does Not Eliminate — the Threat
There is one important caveat to the exploitability of CVE-2026-3844: the attack only succeeds when the "Host Files Locally - Gravatars" add-on feature within the plugin is enabled. Critically, this option is not turned on by default, which means sites running Breeze Cache in its standard configuration are not directly vulnerable.
However, this does not justify complacency. It is unknown how many of the 400,000+ active installations have this feature toggled on, and with over 170 documented exploitation attempts already recorded by Wordfence, attackers are clearly scanning for and targeting sites where the condition is met.
Recommended Actions for WordPress Site Administrators
Given the critical nature of CVE-2026-3844 and the confirmed active exploitation, site owners and administrators relying on Breeze Cache should take immediate action. Defiant recommends the following steps, in order of preference:
- Upgrade to Breeze Cache version 2.4.5 or later as soon as possible. This is the only complete fix for the vulnerability.
- If an immediate upgrade is not feasible, temporarily disable the Breeze Cache plugin entirely until an update can be applied.
- At minimum, disable the "Host Files Locally - Gravatars" feature within the plugin settings to remove the exploitable attack vector.
Broader Context: WordPress Plugin Vulnerabilities on the Rise
This incident is part of a continuing pattern of threat actors zeroing in on vulnerabilities in popular WordPress plugins. Because plugins like Breeze Cache are installed across hundreds of thousands of sites simultaneously, a single flaw can expose an enormous attack surface almost instantly upon disclosure.
Security professionals consistently advise WordPress administrators to maintain automatic updates wherever possible, conduct regular plugin audits, and monitor their sites for unusual file activity — particularly in directories where user-facing functions like avatar hosting might write data to disk.
For sites currently running Breeze Cache 2.4.4 or any earlier version, the window for action is narrow. With exploitation already documented in the wild, delaying the update to version 2.4.5 increases the risk of a successful intrusion with each passing day.
Source: BleepingComputer