Breeze Cache < 2.4.5 – Unauthenticated Arbitrary File Upload | CVE 2026-3844 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

Affects Plugins

Fixed in 2.4.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0

Miscellaneous

Original Researcher

Hung Nguyen (bashu)

Verified

No

WPVDB ID

4acfefc2-88a2-4dc5-8102-f0f8e4913661

Timeline

Publicly Published

2026-04-22 (about 2 months ago)

Added

2026-04-22 (about 2 months ago)

Last Updated

2026-06-22 (about 1 day ago)

Other

Published

Title

Published

2015-12-23

Title

NextGEN Gallery < 2.1.15 - Unrestricted File Upload

Published

2024-08-13

Title

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel < 3.1.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2023-11-14

Title

Slider Revolution < 6.6.16 - Authenticated (Author+) Arbitrary File Upload

Published

2023-10-09

Title

Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload

Published

2025-09-29

Title

Qyrr – simply and modern QR-Code creation < 2.0.8 - Authenticated (Contributor+) Arbitrary File Upload