What’s happened: A critical flaw in the Breeze Cache WordPress plugin — tracked as CVE-2026-3844 and rated 9.8 out of 10 — is being actively exploited. Attackers can upload arbitrary files to a vulnerable site without logging in, which means full website takeover. As reported by BleepingComputer, more than 170 exploit attempts have already been logged against affected sites.

Who’s affected: Every WordPress site running Breeze Cache 2.4.4 or earlier, where the “Host Files Locally – Gravatars” add-on has been turned on. That’s a sub-set of the 400,000+ sites that use the plugin – but it’s a common setting and “sub-set” doesn’t mean small. Breeze ships from Cloudways and is popular with small business sites, hospitality booking pages, NFP donation sites and wealth management brochureware. If you run WordPress, you could be exposed even if you’ve never heard of this plugin.

Why it matters in Australia: A successful exploit gives an attacker remote code execution on your web server. From there they can deface the site, swap bank details on payment pages, drop malware on visitors, or pivot into whatever else the server touches. Under the Privacy Act, if personal information is accessed or stolen, that’s a notifiable breach. Add reputational damage and downtime and a “minor plugin bug” becomes a very bad week.

What to do today:

1. Log in to wp-admin and check Plugins for Breeze Cache. If present, update to version 2.4.5 or later.
2. If you can’t update right now, open the plugin settings and disable “Host Files Locally – Gravatars” as an interim mitigation.
3. Ask your web host or IT provider whether they have WAF rules in place for CVE-2026-3844 and whether they can check your site for suspicious uploaded files over the past week.

If WordPress security is something you’d rather not think about every time a plugin announces a bug, talk to our team about managed cybersecurity – patching, monitoring, and rapid response, done for you.