CVE-2026-3844

Name of the Vulnerable Software and Affected Versions Breeze Cache versions prior to 2.4.5

Description Missing file type validation in the fetch gravatar from remote() function allows unauthenticated attackers to upload arbitrary files to the server, which can lead to remote code execution (RCE) and full website takeover. This issue is actively exploited in the wild, with reports of attackers uploading malicious PHP scripts and web shells, and over 170 attacks detected. More than 400,000 WordPress sites are estimated to be at risk. The flaw is only exploitable if the "Host Files Locally - Gravatars" feature is enabled, which is disabled by default.

Recommendations Update to version 2.4.5. Disable the "Host Files Locally - Gravatars" feature. Monitor for suspicious file uploads.