227/69 Monday, April 27, 2026
Researchers from Wordfence have disclosed a critical vulnerability, CVE-2026-3844 (CVSS 9.8), in the Breeze Cache plugin for WordPress, developed by Cloudways. The flaw allows unauthenticated file uploads to the server, potentially leading to remote code execution (RCE). The plugin is currently used by more than 400,000 websites, and at least 170 exploitation attempts have already been observed.
The vulnerability stems from insufficient file type validation in the fetch_gravatar_from_remote function, enabling attackers to upload malicious files to the system. However, exploitation is only possible if the feature “Host Files Locally – Gravatars” is enabled, which is disabled by default. The issue affects plugin versions 2.4.4 and earlier and has been patched in version 2.4.5.
According to Wordfence, over 3,900 attack attempts related to this vulnerability were blocked within a 24-hour period, indicating rapidly escalating risk. Website administrators are strongly advised to update the plugin to the latest version immediately or temporarily disable it, review configuration settings, and monitor for unusual activity to prevent website compromise and potential data breaches.