Vulnerabilities

Hackers Exploit Critical Breeze Cache Flaw in WordPress Sites

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist white line art on a vibrant teal background showing a stylized cloud icon with a small upward arrow piercing the bottom, representing a malicious file upload exploit.

A file-upload bug in the Breeze Cache plugin is under active exploitation, but only sites with the optional “Host Files Locally – Gravatars” feature enabled appear exposed. The issue highlights how a niche plugin setting can create outsized risk across a large WordPress install base.

VALENCIA, SPAIN — Threat actors have begun actively weaponizing a critical file-upload vulnerability in Breeze, a popular WordPress caching plugin. Tracked as CVE-2026-3844, the flaw allows unauthenticated attackers to upload malicious files to a web server, potentially leading to full Remote Code Execution (RCE) and total site takeover.

Security monitors, including those from WPScan and Security Affairs, report an immediate surge in malicious activity following the bug's discovery. In one 24-hour window, researchers recorded over 170 exploitation attempts and thousands of automated blocks, signaling that scanning botnets have already integrated the exploit into their rotation.

Breeze Cache Exploitation Profile
Metric Detail
Vulnerability Type Critical File Upload / RCE
Status Actively Exploited in the Wild
Specific Trigger “Host Files Locally – Gravatars” enabled
Patch Management Update Breeze Plugin Immediately

The "Niche Feature" Trap

The most striking element of CVE-2026-3844 is its dependency on a specific, optional configuration. The vulnerability is tied to the “Host Files Locally – Gravatars” feature. When enabled, this setting attempts to improve site performance by downloading and serving user avatars directly from the local server rather than external Gravatar servers.

Due to a weakness in how the plugin handles these file transfers, attackers can bypass security checks to upload non-image files — such as PHP webshells. While the plugin is installed on upwards of 400,000 sites, the actual "blast radius" is likely smaller, limited only to those administrators who manually toggled this specific performance feature.

Active Exploitation in the Wild

Reports from Tenable and BleepingComputer confirm that this is not a theoretical risk. Attackers are currently using the flaw as an initial foothold. Once a webshell is successfully uploaded, it can be used for:

  • Payload Delivery: Injecting ransomware or SEO spam into the site database.
  • Credential Harvesting: Accessing wp-config.php to steal database credentials.
  • Lateral Movement: Using the compromised web server to attack other systems within the same hosting environment.

This incident reinforces a recurring theme in WordPress security: the most dangerous vulnerabilities often hide in secondary features that expand a site's attack surface beyond the core CMS.

Defender Guidance: Patch and Audit

Because this flaw is under active attack, site owners using Breeze Cache should treat remediation as a top priority.

  1. Immediate Update: Update the Breeze Cache plugin to the latest patched version (check the WordPress plugin repository for the most recent release).
  2. Feature Audit: If you cannot update immediately, disable the "Host Files Locally – Gravatars" feature in the Breeze settings menu.
  3. Integrity Check: Scan your /wp-content/uploads/ directory for any unexpected .php files or suspicious scripts that may have been placed during the initial exploitation window.
  4. Log Monitoring: Watch for unauthenticated POST requests to the plugin’s admin-ajax handlers, which may indicate scanning activity.

The CyberSignal Analysis: Strategic Signals

Signal 01 — The Risk of "Performance at Any Cost"

The desire for faster page load times often leads admins to enable "optimization" features without auditing the security trade-offs. This incident proves that even a small utility meant to cache avatars can become a critical entry point if it handles file writes incorrectly.

Signal 02 — KEV-Style Urgency for CMS

WordPress plugins are effectively the "supply chain" of the small-to-medium business (SMB) world. When a plugin flaw enters active exploitation, it should be treated with the same urgency as a "Known Exploited Vulnerability" (KEV) in enterprise software.

Signal 03 — Targeted Scraping for Configuration

Attackers are no longer just looking for "outdated WordPress." They are specifically fingerprinting sites that use specific settings. This requires defenders to move beyond simple version patching and start practicing "feature-level" attack surface reduction.

Sources

Type Source
Reporting BleepingComputer: Breeze Cache Exploitation
Technical WPScan: CVE-2026-3844 Profile
Security Security Affairs: 400,000 Sites Alert

Read more