## https://sploitus.com/exploit?id=06F690C6-A3EE-5C47-9527-021E69B3B123
# CVE-2026-3844 โ Breeze Cache RCE
**Unauthenticated Arbitrary File Upload โ Remote Code Execution**
| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-3844 |
| **CVSS** | 9.8 (Critical) |
| **Plugin** | Breeze Cache (Cloudways) |
| **Affected** | โค 2.4.4 |
| **Fixed** | 2.4.5 |
| **Discovered by** | Hung Nguyen (bashu) |
| **PoC by** | halilkirazkaya |
---
## Overview
Breeze Cache WordPress plugin (โค 2.4.4) contains a critical arbitrary file upload vulnerability. Attackers are actively exploiting this flaw to gain **Remote Code Execution (RCE)** and complete website takeover without any authentication.
The flaw lives in the `fetch_gravatar_from_remote` function inside `class-breeze-cache-cronjobs.php`. The function fetches Gravatar images from a remote URL and stores them locally in the WordPress uploads directory without validating the file type or content.
### Technical Breakdown
- **Vulnerable Function**: `fetch_gravatar_from_remote`
- **Mechanism**: The plugin attempts to mirror Gravatar images locally to improve performance. By controlling the author metadata (specifically `srcset` or `src` via comment injection), an attacker can force the server to download a malicious PHP shell from a remote URL.
- **Prerequisite**: The **"Host Files Locally - Gravatars"** option must be enabled (disabled by default).
- **Exploitation Status**: Actively exploited in the wild with thousands of attempts reported by Wordfence.
---
## Lab Setup
### 1. Download Vulnerable Plugin
```bash
wget https://downloads.wordpress.org/plugin/breeze.2.4.4.zip
unzip breeze.2.4.4.zip
rm breeze.2.4.4.zip
```
### 2. Start the Environment
```bash
docker compose up -d
```
### 3. Configure WordPress
1. Open `http://localhost` and complete the WordPress installation.
2. Go to **Plugins โ Installed Plugins** and activate **Breeze**.
3. Go to **Breeze โ Settings** and enable **Host Files Locally - Gravatars**.

### 4. Install Dependencies
```bash
pip install -r requirements.txt
```
---
## Usage
```bash
# Check vulnerability only (reads version from readme.txt)
python3 exploit.py -u http://TARGET-URL -c
# Run full exploit (injection + trigger + shell check)
python3 exploit.py -u http://TARGET-URL
```

---
## Mitigation & IoCs
### Mitigation
- **Update**: Upgrade to Breeze Cache **2.4.5** or later.
- **Interim Fix**: Disable the **"Host Files Locally - Gravatars"** option in settings.
### Indicators of Compromise (IoCs)
- **Files**: Check `/wp-content/cache/breeze-extra/gravatars/` (or `/uploads/breeze/gravatars/`) for unexpected `.php`, `.phtml`, or `.phar` files.
- **Logs**: Review web server access logs for requests to `admin-ajax.php` or `wp-cron.php` related to `fetch_gravatar_from_remote` parameters.
- **Network**: Monitor outbound connections from the web server to unfamiliar external URLs.
---
## Disclaimer
This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Use responsibly.