CVE-2026-3844
Received Received - Intake
Arbitrary File Upload in Breeze Cache Plugin Enables RCE

Publication date: 2026-04-23

Last updated on: 2026-04-23

Assigner: Wordfence

Description
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3844
EUVD
EUVD-2026-25174
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress breeze_cache to 2.4.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Executive Summary

The Breeze Cache plugin for WordPress has a vulnerability in the 'fetch_gravatar_from_remote' function that lacks proper file type validation. This flaw allows unauthenticated attackers to upload arbitrary files to the server hosting the affected site.

This vulnerability exists in all versions up to and including 2.4.4 and can only be exploited if the 'Host Files Locally - Gravatars' feature is enabled, which is disabled by default.

Impact Analysis

Exploiting this vulnerability can allow attackers to upload arbitrary files, potentially leading to remote code execution on the affected server.

This means attackers could gain control over the website or server, leading to data breaches, defacement, or further compromise of the system.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default. Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this issue is fixed.

Mitigation Strategies

To mitigate this vulnerability, you should ensure that the 'Host Files Locally - Gravatars' option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default. Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this issue is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' setting in the Breeze Cache plugin is disabled, as it is by default. Additionally, update the Breeze Cache plugin to a version later than 2.4.4 once available to fix the missing file type validation issue.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' setting in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' setting in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress site, potentially leading to remote code execution. This could result in unauthorized access to sensitive data or disruption of services.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and ensuring system integrity.

However, the vulnerability can only be exploited if the 'Host Files Locally - Gravatars' option is enabled, which is disabled by default.

Mitigation Strategies

To mitigate this vulnerability, you should ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' option in the Breeze Cache plugin is disabled, as it is by default. Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this issue is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'Host Files Locally - Gravatars' option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, you should ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is by default.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Host Files Locally - Gravatars" option in the Breeze Cache plugin is disabled, as it is disabled by default and the vulnerability can only be exploited if this option is enabled.

Additionally, update the Breeze Cache plugin to a version later than 2.4.4 where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart