Share
## https://sploitus.com/exploit?id=06F690C6-A3EE-5C47-9527-021E69B3B123
# CVE-2026-3844 โ€” Breeze Cache RCE

**Unauthenticated Arbitrary File Upload โ†’ Remote Code Execution**

| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-3844 |
| **CVSS** | 9.8 (Critical) |
| **Plugin** | Breeze Cache (Cloudways) |
| **Affected** | โ‰ค 2.4.4 |
| **Fixed** | 2.4.5 |
| **Discovered by** | Hung Nguyen (bashu) |
| **PoC by** | halilkirazkaya |

---

## Overview

Breeze Cache WordPress plugin (โ‰ค 2.4.4) contains a critical arbitrary file upload vulnerability. Attackers are actively exploiting this flaw to gain **Remote Code Execution (RCE)** and complete website takeover without any authentication.

The flaw lives in the `fetch_gravatar_from_remote` function inside `class-breeze-cache-cronjobs.php`. The function fetches Gravatar images from a remote URL and stores them locally in the WordPress uploads directory without validating the file type or content.

### Technical Breakdown

- **Vulnerable Function**: `fetch_gravatar_from_remote`
- **Mechanism**: The plugin attempts to mirror Gravatar images locally to improve performance. By controlling the author metadata (specifically `srcset` or `src` via comment injection), an attacker can force the server to download a malicious PHP shell from a remote URL.
- **Prerequisite**: The **"Host Files Locally - Gravatars"** option must be enabled (disabled by default).
- **Exploitation Status**: Actively exploited in the wild with thousands of attempts reported by Wordfence.

---

## Lab Setup

### 1. Download Vulnerable Plugin

```bash
wget https://downloads.wordpress.org/plugin/breeze.2.4.4.zip
unzip breeze.2.4.4.zip
rm breeze.2.4.4.zip
```

### 2. Start the Environment

```bash
docker compose up -d
```

### 3. Configure WordPress

1. Open `http://localhost` and complete the WordPress installation.
2. Go to **Plugins โ†’ Installed Plugins** and activate **Breeze**.
3. Go to **Breeze โ†’ Settings** and enable **Host Files Locally - Gravatars**.

![Breeze Settings](./assets/settings.png)

### 4. Install Dependencies

```bash
pip install -r requirements.txt
```

---

## Usage

```bash
# Check vulnerability only (reads version from readme.txt)
python3 exploit.py -u http://TARGET-URL -c

# Run full exploit (injection + trigger + shell check)
python3 exploit.py -u http://TARGET-URL
```

![Exploit Success](./assets/exploit.png)

---

## Mitigation & IoCs

### Mitigation
- **Update**: Upgrade to Breeze Cache **2.4.5** or later.
- **Interim Fix**: Disable the **"Host Files Locally - Gravatars"** option in settings.

### Indicators of Compromise (IoCs)
- **Files**: Check `/wp-content/cache/breeze-extra/gravatars/` (or `/uploads/breeze/gravatars/`) for unexpected `.php`, `.phtml`, or `.phar` files.
- **Logs**: Review web server access logs for requests to `admin-ajax.php` or `wp-cron.php` related to `fetch_gravatar_from_remote` parameters.
- **Network**: Monitor outbound connections from the web server to unfamiliar external URLs.

---

## Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Use responsibly.