Critical RCE Flaw in Breeze Cache WordPress Plugin
The National Vulnerability Database reports a critical arbitrary file upload vulnerability, CVE-2026-3844, in the Breeze Cache plugin for WordPress. This flaw, present in all versions up to and including 2.4.4, stems from a lack of file type validation within the fetch_gravatar_from_remote function. This oversight enables unauthenticated attackers to upload arbitrary files to the server, a direct path to remote code execution (RCE).
While severe, exploitation is conditional. The vulnerability is only active if the “Host Files Locally - Gravatars” setting is enabled. Crucially, this setting is disabled by default, providing a small but significant hurdle for attackers. However, the CVSS score of 9.8 (CRITICAL) underscores the catastrophic impact if an attacker can bypass this default configuration, or if administrators have intentionally enabled the feature.
For defenders, this means a straightforward but critical check. If you’re running Breeze Cache, verify the status of the “Host Files Locally - Gravatars” option. An attacker’s calculus here is simple: find misconfigured instances where this feature is active, then exploit the arbitrary file upload to gain RCE. This is a high-reward target for any unauthenticated attacker scanning for vulnerable WordPress sites.
What This Means For You
- If your organization uses the Breeze Cache plugin for WordPress, immediately check if the "Host Files Locally - Gravatars" setting is enabled. If it is, disable it and audit your server for any unauthorized files uploaded via the `fetch_gravatar_from_remote` function. This is a critical RCE vector if misconfigured.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-3844 - Breeze Cache Arbitrary File Upload
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3844 | RCE | Breeze Cache plugin for WordPress versions <= 2.4.4 |
| CVE-2026-3844 | Arbitrary File Upload | Breeze Cache plugin function: 'fetch_gravatar_from_remote' |
| CVE-2026-3844 | Misconfiguration | Breeze Cache plugin setting: 'Host Files Locally - Gravatars' enabled |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Froxlor Vulnerability Grants Root Ownership of Arbitrary Directories
CVE-2026-41231 — Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the...
Froxlor Critical Flaw Allows Arbitrary DNS Record Injection
CVE-2026-41230 — Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not...
Froxlor Critical RCE: Unsanitized Admin Input Leads to Persistent Code Execution
CVE-2026-41229 — Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single...