**Critical Vulnerability Exploited in Breeze Cache Plugin** Hackers are actively exploiting a critical vulnerability in the **Breeze Cache** plugin for **WordPress** that allows uploading arbitrary files on the server without authentication. The security issue is tracked as **CVE-2026-3844** and has been leveraged in more than 170 exploitation attempts by the **Wordfence** security solution for the **WordPress** ecosystem. The **Breeze Cache WordPress** caching plugin from **Cloudways** has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup. The vulnerability received a critical severity score of 9.8 out of 10 and was discovered and reported by security researcher Hung Nguyen (bashu). Researchers at **Wordfence**, say that the problem stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function. This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover. However, successful exploitation is possible only if the “Host Files Locally - Gravatars” add-on is turned on, which is not the default state, the researchers say. **Affected Versions and Mitigation** **CVE-2026-3844** affects all **Breeze Cache** versions up to and including 2.4.4. **Cloudways** fixed the flaw in version 2.4.5, released earlier this week. According to statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the release of the latest version. It is unclear how many websites are vulnerable, though, because there is no data on the number that have the Host Files Locally - Gravatars enabled. Given the active exploitation status, website owners/admins who rely on **Breeze Cache** to boost performance are recommended to upgrade to the latest version of the plugin as soon as possible or temporarily disable it. If upgrading is currently not possible, admins should at least disable the “Host Files Locally - Gravatars.”