OVER 400,000 websites are affected by a critical flaw in the Breeze Cache WordPress plugin, tracked as CVE-2026-3844, which Wordfence describes as having a CVSS score of 9.8. Attacks exploit an unauthenticated arbitrary-file-upload vulnerability in the fetch_gravatar_from_remote function, allowing attackers to upload files to affected sites if the Host Files Locally – Gravatars option is enabled, which Wordfence notes is disabled by default.
The issue affects Breeze Cache up to version 2.4.4, with a fix released in version 2.4.5, and the exploitation can lead to remote code execution and full site takeover. Wordfence researchers detected over 170 attack attempts so far, and they reported blocking 3,936 attacks targeting this vulnerability in the past 24 hours. The vulnerability was uncovered by security researcher Hung Nguyen (bashu), and Wordfence’s advisory emphasises that Breeze Cache is a free WordPress plugin developed by Cloudways. According to Wordfence, users should update to the latest version or disable the plugin promptly.