cbcvebase.
CVE-2026-3844
published 2026-04-23

CVE-2026-3844: The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
36.51%
98.3th percentile
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

Affected

1 ranges
VendorProductVersion rangeFixed in
cloudwaysbreeze_cache<= 2.4.4

Detection & IOCsextracted from sources · hover to see the quote

bytes
4b0a00483046022100d6181b98a44314a77b530807dca8fe9439ec6eeccda2feab0f3a78c0dfd97314022100e5d5b0f03b221a6efbb5c551b6610a398981e2777d00af752fa180087b45d8d7:922c64590222798bb761d5b6d8e72950
  • Unauthenticated requests triggering file uploads should be flagged; exploitation requires no authentication, so any file upload activity via the Breeze Cache gravatar endpoint from unauthenticated sessions is suspicious.
  • Wordfence has already blocked more than 170 exploitation attempts — review Wordfence logs for CVE-2026-3844 triggered rules as a detection signal.
  • ·Exploitation is only possible when the 'Host Files Locally - Gravatars' option is enabled; this feature is disabled by default, significantly limiting the attack surface.
  • ·All Breeze Cache versions up to and including 2.4.4 are affected; version 2.4.5 contains the fix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.