Arbitrary File Upload Vulnerability in Breeze Cache Plugin for WordPress
CVE-2026-3844

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Breeze Cache
Vendor: CVE Published:; 23 April 2026

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 36%

What is CVE-2026-3844?

CVE-2026-3844 is a significant security vulnerability affecting the Breeze Cache plugin used in WordPress environments. This plugin serves the purpose of enhancing website performance by caching static files. The vulnerability stems from inadequate validation of file types in the 'fetch_gravatar_from_remote' function, affecting all versions of the plugin up to and including 2.4.4. As a result, unauthorized users could exploit this flaw to upload arbitrary files to the server hosting the affected WordPress site, which could potentially lead to remote code execution. The exploitation of this vulnerability poses serious risks, particularly since it can be triggered when the "Host Files Locally - Gravatars" feature is enabled, which, while disabled by default, may be activated in certain configurations.

Potential impact of CVE-2026-3844

Remote Code Execution: The most severe impact of CVE-2026-3844 is the potential for remote code execution. This allows an attacker to upload malicious scripts or executables that could take control of the server, leading to further compromise of the website and its underlying infrastructure.
Data Breach Risks: By exploiting this vulnerability, attackers could gain unauthorized access to sensitive data stored on the affected server. This includes user information, financial data, and other critical assets, potentially leading to data leaks or breaches that can severely damage an organization's reputation and legal standing.
Website Integrity and Availability: Once an attacker successfully uploads arbitrary files, they can modify website content, introduce malware, or deploy other attacks on users accessing the website. This can jeopardize the integrity of the website and lead to disruptions in service, ultimately affecting user trust and traffic.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

Breeze Cache 0 <= 2.4.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3844
Created by halilkirazkaya

CVE-2026-3844
Created by dinosn

CVE-2026-3844
Created by tausifzaman

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/breeze/tags/2....

EPSS Score

36% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 24, 2026
👾
Exploit known to exist
Apr 24, 2026
Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 9, 2026

Credit

Hung Nguyen

CVE-2026-3844 Data

JSON

WordPress

Badges

What is CVE-2026-3844?

Potential impact of CVE-2026-3844

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.