A critical vulnerability in the Breeze Cache WordPress plugin, identified as CVE-2026-3844, is being exploited by hackers to upload malicious files to servers without requiring authentication1. This flaw, which has a CVSS score of 9.8, has already been used in over 170 attack attempts, putting over 400,000 sites at risk. The Breeze Cache plugin, developed by Cloudways, is designed to improve website performance and speed, but its vulnerability has expanded the active attack surface. As a result, threat actors can compromise websites without needing login credentials, making it a significant concern for website owners and administrators. The exploitation of this vulnerability highlights the importance of prioritizing security updates and patches, especially for widely used plugins like Breeze Cache, so website owners can take proactive measures to protect their sites from potential attacks, and practitioners should assess their exposure to this vulnerability and take immediate action to mitigate potential risks.
Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844)
⚠️ Critical Alert
Why This Matters
CVE-2026-3844 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, April 25). Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844). SecurityAffairs. https://securityaffairs.com/191267/uncategorized/over-400000-sites-at-risk-as-hackers-exploit-breeze-cache-plugin-flaw-cve-2026-3844.html
Original Source
SecurityAffairs
Read original →