Security

Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin

A critical Arbitrary File Upload vulnerability in Breeze Cache plugin is actively exploited, risking remote code execution on 400,000 WordPress sites. Immediate update to version 2.4.5 is vital.

Editor · · 5 min read
Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin
Photo: Markus Winkler on Pexels

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

A critical vulnerability in the Breeze Cache plugin for WordPress is being actively exploited in the wild, putting approximately 400,000 sites at risk of remote code execution attacks. This Arbitrary File Upload flaw allows unauthenticated attackers to upload malicious PHP files and gain full control over affected servers.

Key Takeaways

  • Breeze Cache versions up to 2.4.4 suffer from a critical Arbitrary File Upload vulnerability (CVE-2026-3844).
  • The flaw allows unauthenticated remote attackers to upload PHP backdoors via a gravatar caching feature.
  • Exploit attempts began immediately after public disclosure on April 22, 2026, with over 30,000 blocked by Wordfence Firewall.
  • Updating to Breeze Cache 2.4.5 is essential to patch the vulnerability and stop active exploitation.
  • Wordfence Premium users received proactive firewall protection weeks before the disclosure; free users received it 30 days later.

Vulnerability Overview and Technical Details

On April 22, 2026, security researchers disclosed a severe Arbitrary File Upload vulnerability in the Breeze Cache plugin, which is widely installed across WordPress sites. The vulnerability received a 9.8 CVSS rating, indicating a critical severity level that demands immediate attention.

The root cause lies in the plugin’s fetch_gravatar_from_remote function, which is responsible for caching gravatar images locally when the “Host Files Locally – Gravatars” option is enabled (disabled by default). This function downloads remote gravatar images and saves them without validating file types or extensions.

A flaw in a regular expression used to parse avatar image tags also enables attackers to inject malicious URLs via the “alt” attribute in avatar <img> tags, which WordPress populates with user display names or author names. By submitting a comment with an author name set to a URL pointing to a malicious PHP file, an attacker can trigger the plugin to download and save that file within the publicly accessible Breeze Cache directory.

This unvalidated file upload allows attackers to plant PHP backdoors on the server, leading to remote code execution and complete site compromise. The vulnerability only affects sites that have enabled local gravatar hosting, but this setting is commonly activated by users seeking performance improvements.

Timeline and Exploitation Activity

The plugin vendor released a patched version, Breeze Cache 2.4.5, on April 21, 2026, addressing the vulnerability by adding proper file validation and fixing the URL parsing logic. However, attackers began exploiting the flaw the very next day, as documented in the Wordfence-intelligence-weekly-wordpress-vulnerability-5/">Wordfence Intelligence vulnerability database.

Wordfence Premium, Care, and Response users were fortunate to receive a firewall rule blocking exploit attempts on March 10, 2026 — well before the public disclosure — demonstrating proactive threat intelligence. Free Wordfence users gained this protection 30 days later, on April 10, 2026.

Despite these protections, Wordfence reports over 30,000 exploit attempts blocked by their firewall in the weeks following disclosure, underscoring the aggressive nature of this campaign. Active exploitation means unpatched sites are highly vulnerable to compromise.

Mitigation and Immediate Actions

The critical priority for site operators is to update Breeze Cache to version 2.4.5 or later. This patch closes the file upload flaw by implementing strict validation and correcting the gravatar URL parsing.

Sites that cannot update immediately should ensure they have a web application firewall (WAF) enabled, ideally one capable of blocking this exploit pattern. Users of Wordfence Premium or similar security plugins are already protected, but free users should confirm their firewall is active and up to date.

In addition, reviewing recent uploads in the Breeze Cache gravatar directory (/wp-content/cache/breeze-extra/gravatars/) for suspicious PHP files is advised. Any unknown PHP files should be removed, and site integrity checked for further compromise.

Context Within WordPress Security Landscape

Arbitrary File Upload vulnerabilities consistently rank among the most dangerous WordPress security issues because they allow attackers to execute code on the server with minimal barriers. This vulnerability in Breeze Cache is particularly concerning due to the high install base and the plugin’s default behavior of caching remote avatars.

Our testing and real-world observations show that attackers rapidly weaponize such flaws, often within hours of disclosure. The proactive firewall rule deployment by Wordfence Premium users demonstrates the value of managed security defenses in reducing exposure windows.

This incident highlights the persistent risk posed by third-party plugins and the critical need for timely updates and layered security controls. Agencies and site operators should monitor their plugin inventory closely and prioritize patches for plugins with active exploitation.

For context, our previous WordPress security coverage has tracked similar critical plugin vulnerabilities and their impact on the ecosystem, emphasizing the need for vigilance.

What This Means for WordPress Users

We urge all WordPress site owners and administrators using Breeze Cache to update to version 2.4.5 immediately. The window for exploitation is open and active, and failure to patch exposes sites to complete takeover risks.

For developers and agencies managing client sites, this situation reinforces the importance of automated update workflows and security monitoring. Integrating security plugin firewalls like Wordfence can provide essential protection during patch rollout delays.

This exploit also serves as a reminder that plugin features involving file downloads or caching, especially those manipulating user-generated content, must be scrutinized for security risks. The gravatar hosting option, while beneficial for performance, introduced a critical attack vector in this case.

Looking ahead, the WordPress ecosystem must continue to improve plugin vetting and encourage best practices around input validation and file handling. Hosting providers and security services will need to maintain vigilance for rapid response to emerging threats.

Frequently Asked Questions

Which versions of Breeze Cache are vulnerable to this exploit?

All versions up to and including 2.4.4 are affected. Updating to version 2.4.5 or later patches the vulnerability.

How can attackers exploit this vulnerability without authentication?

Attackers can submit comments with author names containing URLs to malicious PHP files. The plugin then downloads and saves these files without validation, enabling remote code execution.

Is the vulnerability exploitable if the “Host Files Locally – Gravatars” option is disabled?

No, the vulnerability requires this option to be enabled. It is disabled by default, but many users enable it for performance benefits.

What immediate steps should site owners take to protect themselves?

Update the Breeze Cache plugin to version 2.4.5 immediately and ensure a firewall is active. Also, scan the gravatar cache directory for suspicious PHP files and remove any found.

Related News

Related News
dns site migration
Hosting
Avoiding Downtime During DNS Site Migrations
wordpress fluency
Industry
Fluency Lives in Your Fingers: The Craft Behind WordPress Mastery
woocommerce vs wix
Hosting
Why WooCommerce is a Compelling Choice Over Wix for Growing Online Stores