Thought Leadership
A critical vulnerability in the WordPress plugin Breeze Cache allows attackers to take over entire websites. More than 400,000 installations are affected.
The WordPress ecosystem is once again facing a serious security challenge. Experts are warning of a critical vulnerability in one of the most widely used performance tools for the world’s leading content management system, according to a report by Bleeping Computer. The affected software is the Breeze Cache plugin, developed by the well known hosting provider Cloudways. With more than 400,000 active installations, the plugin is part of the standard toolkit for many webmasters who want to optimize their site loading times. Yet this very tool is now becoming a gateway for cybercriminals attempting to gain full control over third party web servers.
The security flaw, registered as CVE-2026-3844, has been rated 9.8 on the CVSS scale, marking it as critical. At the heart of the issue is a file upload vulnerability that allows unauthenticated attackers to inject malicious code onto the server. The bug was discovered by security researcher Hung Nguyen, who operates under the handle bashu. Since a successful attack requires neither administrator privileges nor even a user account on the target site, the risk for affected WordPress sites is extremely high.
Technical background of the vulnerability
A detailed analysis by the security firm Defiant, which operates the well known protection tool Wordfence, reveals exactly where the flaw lies in the WordPress code. The problem is located in a function called fetch_gravatar_from_remote. This component was originally designed to download profile images from the Gravatar service from external servers and store them locally on the site’s own web server. The goal was to shorten loading times while also making compliance with data protection regulations such as GDPR easier, since no direct requests to external servers would be required.
However, when implementing this function, the developers failed to include sufficient validation of file types. The plugin does not strictly check whether the downloaded file is actually a harmless image. Hackers can exploit this oversight to slip a malicious file, such as a prepared PHP script disguised as an image, onto the server. Once this script resides on the server, it can be called up by the attacker via a simple URL. This results in remote code execution (RCE), meaning arbitrary program code can be executed on the victim’s server.
Prerequisites for a successful attack
There is, however, one important factor that limits the potential number of victims. Researchers point out that the vulnerability can only be actively exploited if one specific setting in the plugin is enabled. This setting is the add on called Host Files Locally, Gravatars. In the default configuration of Breeze Cache, this feature is disabled. Nevertheless, many experienced WordPress administrators use precisely this function to boost performance. For this group of users, urgent action is required.
Current threat landscape
The danger is by no means merely theoretical. According to data from Wordfence, more than 170 attempts to actively exploit the vulnerability have already been recorded. This suggests that hackers are deploying automated scripts to scan the internet for vulnerable WordPress installations. Now that the technical details are publicly known, a massive increase in attack attempts is expected in the coming days.
Breeze Cache is primarily designed to clean up databases, minify files, and accelerate content delivery through caching. The fact that of all things a performance module contains such a serious flaw once again illustrates how complex securing WordPress plugins can be. Every additional feature that communicates with external interfaces potentially increases the attack surface.
Recommendations for WordPress administrators
The developer Cloudways has already responded and released the patched version 2.4.5 earlier this week. All older versions of the plugin up to and including 2.4.4 are considered insecure. Current statistics show that while the update has already been downloaded roughly 138,000 times, a large portion of the more than 400,000 installations is presumably still running the outdated version.
Administrators should immediately log into their WordPress dashboard and check which version of Breeze Cache is installed. Updating to version 2.4.5 or higher reliably closes the security hole. If an immediate update is not possible, it is strongly recommended to temporarily deactivate the plugin. As an absolute minimum measure, webmasters must ensure that the Host Files Locally, Gravatars function is switched off in the plugin settings.
In addition, affected users are advised to inspect their web server log files for suspicious activity. Particular attention should be paid to the upload directory that Breeze Cache uses for gravatars. If files with a PHP extension or unusual character sequences are found there, the site may already have been compromised. In such a case, a comprehensive cleanup of the WordPress installation, along with a change of all passwords for FTP, database, and administrator accounts, is unavoidable. The incident once again serves as a reminder to exercise caution when using plugins and highlights the importance of regular security updates in professional web operations.
