Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. The security issue is tracked as CVE-2026-3844 and has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem. The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup. The vulnerability received a critical severity score of 9.8 out of 10 and was discovered and reported by security researcher Hung Nguyen (bashu). Researchers at WordPress security company Defiant, the developer of Wordfence, say that the problem stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function. This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover. However, successful exploitation is possible only if the “Host Files Locally - Gravatars” add-on is turned on, which is not the default state, the researchers say. CVE-2026-3844 affects all Breeze Cache versions up to and including 2.4.4. Cloudways fixed the flaw in version 2.4.5, released earlier this week.