Breeze Cache Flaw Sparks Unauthenticated File Upload and RCE Risk
Hackers are actively exploiting a critical vulnerability in the Breeze Cache WordPress plugin (CVE-2026-3844) that allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution. The flaw affects all versions up to 2.4.4 and was fixed in 2.4.5; exploitation is more likely if the Host Files Locally - Gravatars add-on is enabled. Update to the latest version or disable the Gravatar hosting option to reduce risk. The plugin has about 400,000 active installations, and hundreds of exploitation attempts have been observed.