Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

Description

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

Affected Products

Vendor	Product	Versions
cloudways	breeze cache	0

References

Related News (1 articles)

Tier C

VulDB13h ago

CVE-2026-3844 | cloudways Breeze Cache Plugin up to 2.4.4 on WordPress fetch_gravatar_from_remote unrestricted upload

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV✅ Yes

Actively exploited✅ Yes

CWECWE-434

PublishedApr 23, 2026

Last enriched12h agov2

Trending Score107🔥

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

Description

Affected Products

References

Related News (1 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History