Patch now! Attacks on WordPress plug-in Breeze Cache observed

Security researchers warn that attackers have been exploiting a “critical” security vulnerability in the WordPress plug-in Breeze Cache since April of this year. Subsequently, sites are considered compromised. A version of the plug-in equipped to handle this is available for download. However, attacks are not straightforward.

Background on the Vulnerability

Security researchers from Wordfence are warning about the attacks in a post. According to the plug-in website, Breeze Cache currently has more than 400,000 active installations. These websites are potentially attackable. However, attacks are only possible if the “Host Files Locally – Gravatars” function is active, which is not the case by default. Web admins should ensure that version 2.4.5, which is protected against attacks, is installed.

The security researchers state that they observed nearly 5,000 exploit attempts in a single day at their peak. In total, they report having documented more than 30,000 attack attempts. Due to insufficient file validation, attackers can exploit the (CVE-2026-3844 “critical”) vulnerability without authentication and upload malicious code. Among other things, they place backdoors on servers. Wordfence has reportedly paid the discoverer of the vulnerability a bug bounty of nearly 2700 US dollars.

In their post, the researchers explain the specific nature of the security problem. They also show how attackers proceed. Furthermore, they provide information on the attackers' IP addresses, among other things. From this, admins can derive indicators of compromise (IoC) to narrow down already attacked instances.

(des)