13.1% probability · 94.2th percentile — 2026-05-12
Affected versions
Breeze Cache WordPress plugin all versions up to and including 2.4.4
Summary
The Breeze Cache plugin for WordPress lacks proper file type validation in the `fetch_gravatar_from_remote` function, allowing unauthenticated attackers to upload arbitrary files to the affected server. Successful exploitation leads to remote code execution. The vulnerability is only exploitable if the optional `Host Files Locally - Gravatars` setting is enabled, a common non-default configuration.
Remediation
Update Breeze Cache to the latest patched version immediately. If patching is not possible, disable the `Host Files Locally - Gravatars` setting and implement WAF rules to block malicious requests to the vulnerable function.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.