PT-2026-34629 · WordPress · Breeze Cache

Hung Nguyen

·

Published

2026-04-23

·

Updated

2026-06-25

·

CVE-2026-3844

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Breeze Cache versions prior to 2.4.5
Description The Breeze Cache plugin for WordPress contains an arbitrary file upload flaw that allows unauthenticated attackers to upload malicious files, such as PHP backdoors, potentially leading to remote code execution and full site compromise. The issue is caused by missing file type validation and an incorrect regular expression in the fetch gravatar from remote() function, which allows URLs to be extracted from the alt attribute of image tags instead of just the src attribute. Attackers can exploit this by placing a malicious URL in the author name field of a comment. This vulnerability affects approximately 400,000 active installations and has been actively exploited in the wild, with over 30,000 attempts blocked by security firewalls. Exploitation is only possible if the "Host Files Locally - Gravatars" setting is enabled, which is disabled by default.
Recommendations Update to version 2.4.5 or later. Disable the "Host Files Locally - Gravatars" setting if not in use. Scan the /wp-content/cache/breeze-extra/gravatars/ directory for unknown PHP files. Monitor for suspicious administrator accounts, specifically those following the randomhex@wordpress.org email pattern.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3844

Affected Products

Breeze Cache