CVE-2026-3844

Name of the Vulnerable Software and Affected Versions Breeze Cache versions prior to 2.4.5

Description An arbitrary file upload issue exists in the Breeze Cache plugin for WordPress, affecting approximately 400,000 active installations. The flaw is located in the fetch gravatar from remote() function, where an incorrect regular expression allows the extraction of URLs from the alt attribute of image tags instead of only the src attribute. Unauthenticated attackers can exploit this by manipulating the display name of a comment to include a malicious URL pointing to a PHP file. The function then downloads the file without validating its type or extension, enabling the upload of PHP backdoors and potential remote code execution. This can only be exploited if the "Host Files Locally - Gravatars" setting is enabled, which is disabled by default. Real-world exploitation began immediately following disclosure on April 22, 2026, with over 30,000 attempts blocked by security firewalls and mass exploitation observed between April 24 and 29, 2026.

Recommendations Update Breeze Cache to version 2.4.5 or later. Disable the "Host Files Locally - Gravatars" setting to mitigate the risk of exploitation.