We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Breeze Cache Plugin Vulnerability (CVE-2026-3844)

Nick Paliughi
On this page

Security Alert Summary

The Breeze Cache plugin for WordPress contains a file upload vulnerability that can allow unauthenticated attackers to upload arbitrary files when the “Host Files Locally – Gravatars” option is enabled. The issue is caused by missing file type validation in the fetch_gravatar_from_remote function and affects all versions up to and including 2.4.4.

CVE Details

  • CVE ID: CVE-2026-3844
  • Affected component: Breeze Cache plugin for WordPress
  • Affected versions: all versions up to, and including, 2.4.4
  • Published: April 23, 2026 at 03:16:17 AM UTC
  • Last modified: April 23, 2026 at 02:28:55 PM UTC
  • CVSS v3.1: Base score 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), Severity: CRITICAL
  • Authentication / Privileges / User interaction: None required / None / None
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness: CWE-434

Technical Details

The vulnerability is caused by missing file type validation in the fetch_gravatar_from_remote function. When the plugin is configured to host Gravatars locally (“Host Files Locally – Gravatars” enabled), this function can accept and store files from remote sources without verifying allowed file types. This makes it possible for unauthenticated attackers to place arbitrary files on the server. Depending on server configuration and file types uploaded, remote code execution may be possible. The option that enables the behavior is disabled by default.

How This Could Impact Your Website

In a realistic scenario, an attacker scanning WordPress sites could upload a malicious file if the site owner or an administrator enabled the local Gravatars option. The site owner might be unaware, internal staff or contractors could have assumed the setting was safe, and external contributors would not need to be authenticated to exploit the issue. Practical consequences include the potential for unauthorized code execution, unauthorized access to site data, and an increased risk of targeted phishing or social engineering if attackers can use the site to host malicious content or collect information.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available
  • Review and reduce unnecessary user roles, especially contributors
  • Enforce strong passwords and two-factor authentication for editors and administrators
  • Remove unused or unmaintained plugins
  • Monitor site activity for unusual behavior

Our team at Freshy is happy to help if you’d like assistance reviewing your plugins, user roles, or overall WordPress security posture.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) Vulnerability (CVE-2026-5464)
Next Post
Highland Software Custom Role Manager Plugin Vulnerability (CVE-2026-7106)