—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Arbitrary File Upload Vulnerability in Breeze Cache plugin for WordPress

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Breeze Cache plugin for WordPress versions prior to 2.4.5

Overview

A critical vulnerability has been identified in the Breeze Cache plugin for WordPress which could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Target Audience:

Website administrators, developers, and organizations operating WordPress sites that use the Breeze Cache plugin.

Risk Assessment:

High risk of remote code execution.

Impact Assessment:

Potential for system compromise, data theft, unauthorized access.

Description

Breeze Cache is a WordPress caching plugin developed by Cloudways that improves website performance through page caching, file optimization, and CDN integration.

A vulnerability exists in the Breeze Cache plugin for WordPress due to improper validation of user-supplied input in the fetch_gravatar_from_remote functionality. This flaw allows unauthenticated users to upload arbitrary files to the server by abusing the gravatar-fetching mechanism.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate security updates as mentioned

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/breeze/breeze-cache-244-unauthenticated-arbitrary-file- upload-via-fetch-gravatar-from-remote

Vendor Information

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/breeze/breeze-cache-244-unauthenticated-arbitrary-file- upload-via-fetch-gravatar-from-remote

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/breeze/breeze-cache-244-unauthenticated-arbitrary-file- upload-via-fetch-gravatar-from-remote

CVE Name

CVE-2026-3844

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnyGjwACgkQ3jCgcSdc

ys+7Kw//a1i/cChhbvQYDgsr+hL51iKKB9024MLvChmuFt3BGIvZMj82nRFnnXEe

Wk7KT1MIye4ZThiCQC8OR52KyU9URMmHmmB6W3TGlgGh4dksCWwcgNL/K3StAg9w

W2tmkub3i9tj9Ay5ZuA832Ts2i0kdlz0q3REml0+nSRma7eaatCKQUGByEosprpQ

Z6vWNsiMKiMGg7DJt6rNFRJqIt/kwXPmJ7gAQC0r5L5NE3paEUq5OyFGA9RMIUxh

6K1J0uSRQMOrppgkusYdTiJ5vDgaNpSc8xVAm6aIYxzw6hMHjKA2eiLPoNbrh+zr

XGhstj5hyOSTDnWpGY6eRDseR+Ex2fBdpEofpQ1CdkMsq1757zwRxLZWbNgiNUH8

SvUYVKyG6kJN1rQSuY/oCNMwD8OTYEKSXV091kavzHR/0FEwzcgCG7Q1wEKV29/3

07Ut8ECRoTfJehnriYfiAmsSE8bDVMrv6JNJ3B9ahhfPDvPddqSDRKdGA6on0BLW

10+2tDWJ3eiKU+n96+zSbCFyvzi87ugv+Hcojnh/p1ssdevVOkp4VK88h+JY65cz

LEDYIv7mBRvNdbcQVlLV87SgYZUqN3LAEyFcMGkcQ8U1vYNlmXg64HfX11rKSl1A

kXAGXexg3SGGzZ0c2+56sT9JpsZfeA5JgDwqE7AEvT9yaVpIEPA=

=REPW

—–END PGP SIGNATURE—–