Cloudways Patches Actively Exploited File Upload Flaw in Breeze Cache Plugin
Take action: If you use the Breeze Cache WordPress plugin, update it to version 2.4.5 ASAP. If you can't update right away, disable the "Host Files Locally - Gravatars" setting as a temporary workaround until you can apply the update.
Learn More
Cloudways released an emergency security update for the Breeze Cache WordPress plugin to address a critical vulnerability currently under active exploitation. The vulnerability allows unauthenticated attackers to upload malicious files to web servers.
The flaw is tracked as CVE-2026-3844 (CVSS score 9.8) - An unauthenticated arbitrary file upload vulnerability in the fetch_gravatar_from_remote function due to missing file-type validation. Attackers can send crafted requests to the server to bypass security checks and store malicious scripts.
The attack only works if the Host Files Locally - Gravatars setting is active, which is not the default configuration.
Successful exploitation of this flaw leads to a complete website takeover. Attackers can plant web shells to gain persistent access to the underlying server environment.
The vulnerability affects all versions of the Breeze Cache plugin up to and including version 2.4.4.
Administrators should update Breeze Cache to version 2.4.5 ASAP. If an immediate update is not possible, users must disable the Host Files Locally - Gravatars.
