Active exploitation of a critical file upload vulnerability in the Breeze Cache WordPress plugin began this week, with security researchers documenting more than 170 attack attempts against sites running the caching software from Cloudways, according to Bleeping Computer.
The security flaw, tracked as CVE-2026-3844, allows unauthenticated attackers to upload arbitrary files to WordPress servers without authentication. The vulnerability carries a critical severity score of 9.8 out of 10 and affects all Breeze Cache versions up to and including 2.4.4. Cloudways released version 2.4.5 earlier this week to address the issue.
Breeze Cache has more than 400,000 active installations and provides caching, file optimization, and database cleanup features designed to improve WordPress site performance. The plugin's download count reached approximately 138,000 since the patched version became available on WordPress.org.
Vulnerability Mechanics and Attack Surface
Researchers at Defiant, the company behind the Wordfence security solution for WordPress, identified the root cause as missing file-type validation in the plugin's 'fetch_gravatar_from_remote' function. Security researcher Hung Nguyen discovered and reported the flaw.
The missing validation creates a pathway for attackers to execute remote code and take complete control of affected websites. Successful exploitation requires the "Host Files Locally - Gravatars" add-on to be enabled, which is not activated by default on fresh installations.
The conditional nature of the exploit limits the attack surface to sites where administrators have specifically turned on the Gravatar hosting feature. WordPress.org statistics do not track how many active installations have enabled this add-on, leaving the precise number of vulnerable sites unknown.
Immediate Remediation Steps
Defiant's threat intelligence team recommends immediate upgrade to Breeze Cache version 2.4.5 for all sites currently running the plugin. Website administrators unable to deploy the patch immediately should disable the "Host Files Locally - Gravatars" feature as a temporary mitigation measure.
Sites that cannot upgrade or disable the feature face active exploitation risk from unauthenticated attackers. The 170 documented attack attempts represent detections by Wordfence installations and likely undercount total exploitation activity across the WordPress ecosystem.
The vulnerability classification as "unauthenticated arbitrary file upload" places it in the highest risk category for WordPress security issues. This attack class bypasses all authentication mechanisms and gives attackers direct write access to the server filesystem.
Patch Deployment Timeline
Cloudways released the security patch on April 21, 2026. The roughly 138,000 downloads since that date represent approximately 34 percent of the plugin's 400,000 active installation base, assuming no duplicate downloads or test environments.
The gap between patch release and universal deployment creates an active exploitation window. WordPress plugins do not auto-update by default unless administrators have enabled that feature at the plugin or site level. Manual update deployment timelines vary widely across agencies managing multiple client sites.
Sites still running Breeze Cache 2.4.4 or earlier remain vulnerable until administrators apply the patch or disable the affected Gravatar feature. The exploitation attempts detected by Wordfence indicate active scanning for vulnerable installations continues after the patch release.
Context and Outlook
WordPress security vulnerabilities with active exploitation require immediate attention from agencies managing client portfolios. A single compromised client site can trigger breach notification requirements, liability exposure, and client relationship damage that far exceeds the operational cost of emergency patch deployment across managed sites.
Agencies using centralized management platforms like ManageWP, MainWP, or InfiniteWP can deploy the Breeze Cache 2.4.5 update to multiple client sites simultaneously. Those managing sites individually through separate WordPress dashboards face higher labor costs per patch deployment but carry the same risk exposure. The Gravatar feature toggle provides a zero-downtime mitigation option for sites where immediate plugin updates conflict with active development work or scheduled maintenance windows.
The 170 documented exploitation attempts represent detection by a single security product on a subset of WordPress installations. Total attack volume across all Breeze Cache installations likely exceeds that figure significantly. Agencies that defer patching while evaluating the scope risk discovering compromised sites after the fact, when remediation costs include forensic investigation, malware cleanup, and potential data breach response rather than a simple plugin update.