Breeze Cache Plugin Bug Under Active Attack: Update Now

Key Takeaways

• CVE-2026-3844 has a severity score of 9.8/10 and allows remote code execution
• Wordfence has blocked over 170 exploitation attempts so far
• Update to Breeze Cache 2.4.5 or disable the Gravatars add-on immediately

What's Happening

Hackers are actively exploiting a critical vulnerability in Breeze Cache, a popular WordPress caching plugin from Cloudways. The flaw lets attackers upload malicious files to servers without logging in. That can lead to full website takeover.

Security firm Wordfence has already blocked more than 170 exploitation attempts. The vulnerability, tracked as CVE-2026-3844, carries a severity score of 9.8 out of 10. It affects all Breeze Cache versions up to and including 2.4.4.

Why Breeze Cache Matters

Breeze Cache has more than 400,000 active installations. Website owners use it to speed up page loads through caching, file optimization, and database cleanup. It's a standard performance tool for WordPress sites that need faster response times.

That install base makes this vulnerability a big deal. Even if a small percentage of sites remain unpatched, attackers have a large target surface.

How the Exploit Works

Researchers at Defiant, the company behind Wordfence, traced the problem to missing file-type validation. The vulnerable function is called 'fetch_gravatar_from_remote'. Because the plugin doesn't check what type of file is being uploaded, attackers can push executable code to the server.

Once malicious code is on the server, attackers can run it remotely. This gives them full control over the website. They can steal data, inject malware, redirect visitors, or use the site as a launch point for further attacks.

There's one catch. The exploit only works if the "Host Files Locally - Gravatars" add-on is turned on. This setting is off by default. So sites that never enabled it are not vulnerable, even if they run an outdated Breeze Cache version.

The Fix Is Available

Cloudways released version 2.4.5 earlier this week. This version patches the vulnerability. According to WordPress.org stats, the plugin has had about 138,000 downloads since the fix dropped.

That still leaves a gap. With 400,000 active installations, many sites haven't updated yet. And there's no public data on how many have the Gravatars add-on enabled.

What You Should Do Now

1. Update Breeze Cache to version 2.4.5 immediately through your WordPress dashboard
2. If you can't update right now, disable the "Host Files Locally - Gravatars" add-on
3. If you can't do either, consider temporarily deactivating the plugin until you can patch
4. Check your server logs for unusual file uploads or unexpected PHP files in the Breeze directory

Security researcher Hung Nguyen (bashu) discovered and reported the flaw. Responsible disclosure gave Cloudways time to build a patch before exploitation ramped up.

Broader WordPress Security Context

This incident fits a pattern. WordPress plugins are frequent targets because they're widely used and often maintained by small teams. When a popular plugin has a critical flaw, attackers move fast. Automated scanners can identify vulnerable sites within hours of a public disclosure.

The 170 blocked attempts Wordfence recorded likely represent a fraction of total attack traffic. Sites without active security monitoring may not know they've been probed or compromised.

Frequently Asked Questions

Is my site vulnerable if I use Breeze Cache?

Only if you're running version 2.4.4 or earlier AND have the "Host Files Locally - Gravatars" add-on enabled. The add-on is off by default.

What can attackers do if they exploit this vulnerability?

They can upload and execute arbitrary files on your server. This leads to remote code execution, which means full website takeover, data theft, malware injection, or using your site to attack others.

How do I update Breeze Cache?

Go to your WordPress dashboard, navigate to Plugins, find Breeze, and click Update. You should see version 2.4.5 available.

What if I can't update right away?

Disable the "Host Files Locally - Gravatars" add-on in Breeze settings. This closes the attack path until you can install the patch.

How do I know if my site was already compromised?

Check your server logs for unexpected file uploads. Look for unfamiliar PHP files in the Breeze plugin directory. Consider running a malware scan with a tool like Wordfence.

Source: BleepingComputer