If your website runs on WordPress and uses a plugin called Breeze Cache, a complete stranger — no account, no password, no invitation — may be able to plant malicious software directly on your server and take full control of your site.
Who's at Risk, and How Big Is This?
WordPress powers roughly 43% of all websites on the internet — that's hundreds of millions of sites, from personal blogs to online stores to nonprofit fundraising pages. Breeze Cache is a performance plugin made by Cloudways, a well-known managed hosting company, designed to make WordPress sites load faster. It has tens of thousands of active installations worldwide.
The vulnerability affects every version of Breeze Cache up to and including version 2.4.4. If your site is running any of those versions and you've enabled a specific setting called "Host Files Locally - Gravatars," your site is potentially wide open. Real-world consequences range from a defaced homepage to stolen customer data, injected payment-skimming code, or your site being quietly recruited into a botnet to attack other targets — all without you ever knowing it happened.
What's Actually Going On Here
To understand the danger, it helps to know what Gravatars are. A Gravatar is a small profile photo that follows you around the internet — you set it up once on Gravatar.com, and it shows up next to your comments on millions of websites. Breeze Cache has an optional feature that downloads a local copy of these profile photos directly onto your web server, so pages load a little faster instead of fetching the image from Gravatar's servers every time.
The problem is in how the plugin handles that download process. When it goes to fetch a profile photo from a remote address, it doesn't actually check what kind of file it's receiving. It's supposed to grab a harmless image — a JPEG or PNG of someone's face. But the plugin will accept anything without question: a text document, a video, or — crucially — a PHP script. PHP is the programming language that WordPress itself runs on, and if an attacker can get a PHP file onto your server and then visit it in a browser, that script executes. That means they can run commands, create admin accounts, read your database, exfiltrate emails and passwords, or install a backdoor for later.
The truly alarming part is that none of this requires the attacker to log in. They don't need to have ever visited your site before. Anyone on the internet who discovers your site is running a vulnerable version of Breeze Cache with this setting enabled can send a specially crafted request, slip a malicious script onto your server, and begin issuing commands — all within seconds. In security terms, this is what's called an unauthenticated remote code execution vulnerability, and it's about as bad as things get for a website owner.
The Technical Detail Security Teams Need to Know
The root cause is a missing file type validation check in the fetch_gravatar_from_remote() function within the Breeze Cache plugin codebase. This function performs no MIME type inspection, no file extension allowlisting, and no content-based verification before writing the fetched payload to disk. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS score of 9.8 out of 10 — Critical. The attack vector is network-accessible with no authentication required, no user interaction needed, and full impact across confidentiality, integrity, and availability — a perfect storm for server compromise.
Has Anyone Been Attacked Yet?
As of publication, no active exploitation has been confirmed in the wild. There are no known victims or documented attack campaigns tied to this specific CVE (tracked as CVE-2026-3844) at this time. However, security history gives a sobering lesson here: once a vulnerability like this is publicly disclosed, attackers begin scanning for vulnerable targets within hours. Automated tools can sweep millions of WordPress sites looking for the telltale signs of a vulnerable plugin version in far less time than it takes most site owners to read their email.
There is one significant mitigating factor worth noting: the vulnerable feature — "Host Files Locally - Gravatars" — is disabled by default. This means sites that have never touched that setting are not exposed. But any site where an administrator turned it on to chase a performance optimization is now in the crosshairs. If you're unsure whether you enabled it, that uncertainty itself is a reason to act immediately.
What You Should Do Right Now
- Update Breeze Cache to version 2.4.5 or later immediately. Log into your WordPress dashboard, go to Plugins → Installed Plugins, find Breeze Cache, and hit "Update." Cloudways has released a patched version that includes proper file type validation. If automatic updates are available for your setup, verify the update actually went through — don't assume it did.
- Disable "Host Files Locally - Gravatars" until you've confirmed the patch is applied. In your WordPress admin panel, navigate to Breeze → Advanced Settings and look for the Gravatar hosting option. Turning this off removes the attack surface entirely while you get your update sorted. This is your emergency brake if updating right now isn't possible.
-
Audit your uploads folder for anything suspicious. If you've had this setting enabled, use your hosting control panel or an SFTP client to browse to
wp-content/uploads/and look for any files with extensions like.php,.phtml,.php5, or.pharthat don't belong there. A WordPress security scanner plugin like Wordfence or Sucuri can automate this check. If you find anything unexpected, treat your site as compromised and contact your host immediately.
CVE-2026-3844 carries a CVSS score of 9.8 (Critical). No active exploitation has been confirmed at time of publication. This article will be updated as new information becomes available.