Is Breeze Cache affected by CVE-2026-3844?

CVE-2026-3844 is a critical remote code execution vulnerability in Breeze Cache for WordPress that allows unauthenticated attackers to upload malicious files when a non-default feature is enabled.

Breeze Cache CVE-2026-3844

EUVD-2026-25174 CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-23 Wordfence

GHSA-c529-q7mw-hq6j

WordPress File Upload RCE

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 14:37 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:46 vuln.today

DescriptionNVD

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

AnalysisAI

Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files and achieve remote code execution on vulnerable servers. Exploitation requires the non-default 'Host Files Locally - Gravatars' feature to be enabled. …

RemediationAI

Within 24 hours: Audit all WordPress installations running Breeze Cache to identify whether the 'Host Files Locally - Gravatars' feature is enabled (check Breeze settings > CDN > Gravatar options). Within 7 days: Disable the 'Host Files Locally - Gravatars' feature on all affected instances if enabled, and apply any security hardening updates from Breeze; monitor Breeze plugin repository and Wordfence advisories for patch availability. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-4106 MEDIUM This Month POC

5.3 Apr 23

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some P

CVE-2026-5306 MEDIUM This Month POC

5.4 Apr 28

Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low

CVE-2026-7106 HIGH This Week

8.8 Apr 27

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom

CVE-2026-6741 HIGH This Week

8.8 Apr 27

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Esca

CVE-2026-5364 HIGH This Week

8.1 Apr 24

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers t

CVE-2026-3844 vulnerability details – vuln.today

Back

Breeze Cache CVE-2026-3844

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code