cleantalk
Vulnerabilities and Security Researches

Breeze – WordPress Cache Plugin, CVE-2026-3844

CVE, Research URL

CVE-2026-3844

Home page URL

Security reports for Breeze – WordPress Cache Plugin

Application

Breeze – WordPress Cache Plugin

Published on
Apr 23, 2026
Research Description
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
Affected versions
max 2.4.5.
Status
vulnerable
Previous vulnerability researches
Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal (CVE-2025-6043) , Jul 19, 2025
Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal (CVE-2025-3701) , Apr 23, 2026
Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal (24596766a0adccfc0371fdbefc213380e7bbc7c5) , Jun 14, 2025
New vulnerability
Events Addon for Elementor (CVE-2025-8150) , Apr 24, 2026
WordPress Infinite Scroll – Ajax Load More (CVE-2025-59582) , Apr 24, 2026
WP Compress – Image Optimizer [All-In-One] (CVE-2025-57899) , Apr 24, 2026
Classified Listing – Classified ads & Business Directory Plugin (CVE-2025-7711) , Apr 24, 2026
Popup Anything – Popup for opt-ins and Lead Generation Conversions (CVE-2026-6443) , Apr 24, 2026