CVE-2026-3844
Published: 23 April 2026
Summary
CVE-2026-3844 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the missing file type validation in the 'fetch_gravatar_from_remote' function by enforcing validation of all information inputs including uploaded files.
Prevents exploitation by configuring the system to disable unnecessary functionality such as 'Host Files Locally - Gravatars', eliminating the vulnerable upload path.
Remediates the arbitrary file upload flaw by identifying, patching, and deploying the fix from changeset 3511463 in Breeze Cache versions beyond 2.4.4.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for RCE (T1100).
NVD Description
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary…
more
files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
Deeper analysisAI
CVE-2026-3844 is an arbitrary file upload vulnerability in the Breeze Cache plugin for WordPress, stemming from missing file type validation in the 'fetch_gravatar_from_remote' function. It affects all versions up to and including 2.4.4. The flaw allows attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. Exploitation requires the "Host Files Locally - Gravatars" setting to be enabled, which is disabled by default. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the flawed function, they can upload malicious files, such as web shells, to the server. Successful exploitation may lead to full remote code execution, granting attackers control over the compromised WordPress site.
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to a patch in changeset 3511463 for the Breeze plugin. Source code views for versions like 2.4.1 highlight the vulnerable lines in class-breeze-cache-cronjobs.php at lines 119 and 89, indicating where validation was absent prior to the fix. Security practitioners should update to a patched version beyond 2.4.4 and verify the Gravatars setting is disabled.
Details
- CWE(s)