Attack Overview
Threat actors are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress, one of the most widely used caching plugins on the platform. The flaw, tracked as CVE-2026-3844 with a CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files — including PHP webshells — to WordPress servers without requiring any login credentials.
Security researchers first observed mass exploitation in the wild shortly after the vulnerability was publicly disclosed on April 23, 2026. Attackers are targeting WordPress installations at scale using automated scanning tools to identify sites running vulnerable versions of the plugin.
The Vulnerability
CVE-2026-3844 exists in the fetch_gravatar_from_remote function within Breeze Cache. This function downloads and locally caches remote avatar images to improve site performance. The vulnerability arises from a complete absence of file type validation:
- The function does not check the Content-Type of the downloaded file
- It does not validate the file extension before saving
- It does not inspect file content (magic bytes) for image signatures
- Downloaded files land in a web-accessible cache directory
By supplying a URL pointing to a PHP script instead of an image, an attacker causes Breeze Cache to download and store the script on the server. The file is then directly accessible over HTTP, giving the attacker a persistent webshell with which to execute operating system commands.
| Detail | Value |
|---|---|
| CVE | CVE-2026-3844 |
| CVSS Score | 9.8 (Critical) |
| Plugin | Breeze Cache |
| Affected Versions | 2.4.4 and earlier |
| Authentication Required | None |
| Actively Exploited | Yes |
What Attackers Are Doing
Observed attack patterns include:
Webshell Deployment
Attackers are uploading minimal PHP webshells to the Breeze cache directory. These webshells accept commands via GET or POST parameters and execute them under the web server user account. Once planted, attackers return repeatedly to issue commands without re-exploiting the vulnerability.
Reconnaissance and Credential Theft
After gaining shell access, attackers are observed:
- Reading
wp-config.phpto steal database credentials - Enumerating WordPress admin accounts
- Harvesting stored credentials from other web applications on the same server
- Checking for privilege escalation paths (SUID binaries, sudo rules, kernel exploits)
Ransomware and Defacement
Some campaigns are deploying ransomware against compromised servers, encrypting WordPress files and demanding payment. Others are defacing sites or injecting SEO spam to monetize access without triggering immediate detection.
Persistence
Attackers are planting multiple webshells in different locations on the server to maintain access even if the primary webshell is detected and removed. Some campaigns also add rogue WordPress admin accounts as a backup access mechanism.
Who Is at Risk
Breeze Cache is the official caching plugin distributed by Cloudways, a managed WordPress and cloud hosting platform. While the plugin is primarily associated with Cloudways-hosted sites, it is also available from the WordPress Plugin Repository and can be installed on any WordPress site.
Sites at risk include:
- Any WordPress installation running Breeze Cache versions 2.4.4 or earlier
- Sites without a web application firewall (WAF) blocking exploit requests
- Sites on shared hosting where a single compromised site can impact neighboring accounts
Immediate Actions
1. Update Breeze Cache Now
The most critical action is updating to the latest patched version of Breeze Cache immediately.
# Via WP-CLI
wp plugin update breeze --allow-root
# Or update via the WordPress admin dashboard:
# Plugins > Installed Plugins > Breeze > Update Now2. Scan for Webshells
# Find PHP files that do not belong in the cache directory
find /var/www/html/wp-content/cache/breeze/ -name "*.php" -type f
# Scan for common webshell indicators
grep -rn "system\|shell_exec\|passthru\|eval\|base64_decode" \
/var/www/html/wp-content/cache/3. Block PHP Execution in Cache Directories
Add a server rule to prevent PHP execution in the Breeze cache directory regardless of what files are placed there:
# Nginx
location ~* /wp-content/cache/.*\.php$ {
deny all;
}4. Enable a WAF
Deploy a web application firewall (Cloudflare, Wordfence Firewall, or Sucuri) configured to block the exploit request pattern targeting the fetch_gravatar_from_remote function.
5. Rotate Credentials
If your site ran a vulnerable version and was potentially accessible to attackers:
- Change your WordPress database password and update
wp-config.php - Refresh WordPress secret keys and salts
- Audit all WordPress admin accounts for unauthorized additions
Detection and Monitoring
Organizations should monitor for the following indicators of compromise (IoCs):
| Indicator | Description |
|---|---|
POST requests referencing breeze_fetch_gravatar | Exploit attempt |
PHP files appearing in wp-content/cache/breeze/ | Webshell upload |
| Unusual outbound HTTP connections from the web server process | Remote file fetch during attack |
| OS commands executed from PHP-FPM or Apache worker processes | Active webshell usage |
| New WordPress admin accounts with unfamiliar usernames | Post-exploitation persistence |
wp-config.php accessed via the web server process at unusual times | Credential theft |
Broader Context: WordPress Plugin Vulnerabilities
CVE-2026-3844 is part of a continuing trend of critical unauthenticated vulnerabilities in popular WordPress plugins. The plugin ecosystem's scale — with tens of thousands of plugins and millions of active sites — makes it a persistent high-value target for threat actors who can turn a single plugin vulnerability into a mass-exploitation campaign with relatively low effort.
The shift to automated exploitation means that sites running vulnerable plugins are typically compromised within hours of public vulnerability disclosure, before many administrators have had a chance to apply patches. Keeping plugins updated is no longer a maintenance task that can be deferred — it is a front-line security control.