CVE-2026-3844

CRITICAL EXPLOITED NUCLEI LAB

Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-3844 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 11 public exploits from researchers including adminlove520, halilkirazkaya, Dhananjayasj. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-3844, an unauthenticated file upload vulnerability in the WordPress Breeze plugin (versions up to 2.4.4). The exploit leverages the `breeze_fetch_gravatar` action to upload a PHP webshell, achieving remote code execution (RCE).

Description

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

Exploits (11)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-3844

This repository contains a functional exploit for CVE-2026-3844, an unauthenticated file upload vulnerability in the WordPress Breeze plugin (versions up to 2.4.4). The exploit leverages the `breeze_fetch_gravatar` action to upload a PHP webshell, achieving remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Breeze Plugin (versions up to 2.4.4)
No auth needed
Prerequisites: Target running vulnerable WordPress Breeze plugin · Network access to the target
devstral-2 · analyzed May 14, 2026 Full analysis →
github WORKING POC 3 stars
by halilkirazkaya · pythonpoc
https://github.com/halilkirazkaya/CVE-2026-3844

This repository contains a functional exploit for CVE-2026-3844, an unauthenticated arbitrary file upload vulnerability in the Breeze Cache WordPress plugin (≤ 2.4.4). The exploit leverages a flaw in the `fetch_gravatar_from_remote` function to upload a malicious PHP shell, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache WordPress plugin ≤ 2.4.4
No auth needed
Prerequisites: Host Files Locally - Gravatars option must be enabled · WordPress site with Breeze Cache plugin ≤ 2.4.4 installed
devstral-2 · analyzed Apr 30, 2026 Full analysis →
github WORKING POC
by Dhananjayasj · pythonremote
https://github.com/Dhananjayasj/CVE-2026-3844-Breeze-Cache-WordPress-Plugin-Remote-Code-Execution

This repository contains a functional exploit for CVE-2026-3844, an unauthenticated arbitrary file upload vulnerability in the Breeze Cache WordPress plugin (versions <= 2.4.4). The exploit leverages a malicious comment with a crafted `srcset` attribute to upload a remote payload, which is then cached and executed by the plugin.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache WordPress Plugin <= 2.4.4
No auth needed
Prerequisites: Gravatar hosting feature must be enabled in Breeze Cache settings
devstral-2 · analyzed Jun 06, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-3844

This repository contains a functional exploit for CVE-2026-3844, targeting Breeze Cache <= 2.4.4. The exploit leverages unauthenticated arbitrary file upload via comment injection to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache WordPress plugin <= 2.4.4
No auth needed
Prerequisites: 'Host Files Locally - Gravatars' setting enabled · WordPress post with open comments
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by zycoder0day · remote
https://github.com/zycoder0day/CVE-2026-3844

This repository contains a functional exploit for CVE-2026-3844, targeting Breeze Cache for WordPress. It demonstrates three distinct vectors for unauthenticated PHP file write, leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache for WordPress <= 2.4.4 (v1/v2) / <= 2.0.27 (v3)
No auth needed
Prerequisites: WordPress with Breeze Cache plugin installed · Network access to the target WordPress site
devstral-2 · analyzed May 11, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · poc
https://github.com/rootdirective-sec/CVE-2026-3844-Lab

This repository contains a functional exploit PoC for CVE-2026-3844, demonstrating an unauthenticated arbitrary file upload vulnerability in the Breeze Cache WordPress plugin (version 2.4.4) leading to remote code execution (RCE). The lab includes a Docker-based environment with vulnerable and patched versions of the plugin, along with a proof-of-concept script that triggers the vulnerability via a crafted comment with a controlled `srcset` string.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache WordPress plugin 2.4.4
No auth needed
Prerequisites: Breeze Cache plugin version 2.4.4 · Local Gravatar caching enabled in Breeze settings
devstral-2 · analyzed May 09, 2026 Full analysis →
nomisec WORKING POC
by sahmsec · remote
https://github.com/sahmsec/CVE-2026-3844

This repository contains a functional Python exploit for CVE-2026-3844, an unauthenticated arbitrary file upload vulnerability in WordPress Breeze Cache <= 2.4.4. The exploit leverages a malicious comment with a crafted `srcset` attribute to trigger file upload via the caching mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Breeze Cache <= 2.4.4
No auth needed
Prerequisites: WordPress site with Breeze Cache plugin <= 2.4.4 · Comment posting enabled · Access to /wp-comments-post.php
devstral-2 · analyzed May 08, 2026 Full analysis →
github WORKING POC
by dinosn · pythonremote
https://github.com/dinosn/CVE-2026-3844

This repository contains a functional exploit for CVE-2026-3844, demonstrating an unauthenticated arbitrary file upload vulnerability in Breeze Cache <= 2.4.4, leading to remote code execution (RCE). The exploit leverages a lack of MIME type validation and file extension restrictions in the `fetch_gravatar_from_remote()` function, allowing an attacker to upload a malicious PHP file via a crafted comment.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Breeze Cache WordPress plugin <= 2.4.4
No auth needed
Prerequisites: Breeze plugin version <= 2.4.4 installed and active · Host Files Locally - Gravatars setting enabled · WordPress comments open on at least one post · Attacker's payload server reachable from the WordPress server
devstral-2 · analyzed Apr 25, 2026 Full analysis →
nomisec WORKING POC
by tausifzaman · remote
https://github.com/tausifzaman/CVE-2026-3844

This repository contains a functional exploit PoC for CVE-2026-3844, an unauthenticated file upload vulnerability in the WordPress Breeze plugin leading to RCE. The exploit automates version detection and payload delivery via the `breeze_fetch_gravatar` action.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Breeze Plugin (versions up to 2.4.4)
No auth needed
Prerequisites: Target running vulnerable WordPress Breeze plugin · Network access to the target
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec WORKING POC
by 0xgh057r3c0n · remote
https://github.com/0xgh057r3c0n/CVE-2026-3844

This repository contains a functional Python exploit for CVE-2026-3844, an unauthenticated arbitrary file upload vulnerability in WordPress Breeze Cache <= 2.4.4. The exploit leverages a malicious comment with a crafted `srcset` attribute to trigger file caching, resulting in remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Breeze Cache <= 2.4.4
No auth needed
Prerequisites: WordPress site with Breeze Cache plugin <= 2.4.4 · Access to `/wp-comments-post.php` · Gravatar caching enabled
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec WORKING POC
by im-hanzou · remote
https://github.com/im-hanzou/CVE-2026-3844

This repository contains a functional Python exploit for CVE-2026-3844, targeting a Breeze Cache arbitrary file upload vulnerability in WordPress. The exploit automates the process of uploading a malicious file via a crafted comment submission and verifies successful uploads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress with Breeze Cache plugin
No auth needed
Prerequisites: Target URL with vulnerable Breeze Cache plugin · Accessible wp-comments-post.php endpoint
devstral-2 · analyzed Apr 24, 2026 Full analysis →

Nuclei Templates (1)

Breeze <= 2.4.4 - Arbitrary File Upload
CRITICALVERIFIEDby theamanrawat,ritikchaddha
Shodan: http.html:"/wp-content/plugins/breeze/"
FOFA: body="/wp-content/plugins/breeze/"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.2935
EPSS Percentile 96.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull wordpress:6.5-php8.2-apache
docker pull wordpress:latest
docker pull wordpress:6.8.1-php8.2-apache
+8 more repos

Details

VulnCheck KEV 2026-04-23
CWE
CWE-434
Status published
Products (1)
cloudways/Breeze Cache < 2.4.4
Published Apr 23, 2026
Tracked Since Apr 23, 2026