CVE-2026-3844

CVE-2026-3844 is an arbitrary file upload vulnerability in the Breeze Cache plugin for WordPress, stemming from missing file type validation in the 'fetch_gravatar_from_remote' function. It affects all versions up to and including 2.4.4. The flaw allows attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. Exploitation requires the "Host Files Locally - Gravatars" setting to be enabled, which is disabled by default. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the flawed function, they can upload malicious files, such as web shells, to the server. Successful exploitation may lead to full remote code execution, granting attackers control over the compromised WordPress site.

Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to a patch in changeset 3511463 for the Breeze plugin. Source code views for versions like 2.4.1 highlight the vulnerable lines in class-breeze-cache-cronjobs.php at lines 119 and 89, indicating where validation was absent prior to the fix. Security practitioners should update to a patched version beyond 2.4.4 and verify the Gravatars setting is disabled.