Hackers Exploit File Upload Bug in Breeze Cache WordPress Plugin

The Breeze Cache plugin, a popular performance tool with over 400,000 active installations, became the latest target in a wave of WordPress supply‑chain attacks. By bypassing file‑type validation in the fetch_gravatar_from_remote function, threat actors can upload malicious scripts that execute with the web server’s privileges. While the vulnerability hinges on an optional feature—hosting gravatars locally—its presence in a widely deployed plugin amplifies the potential attack surface, especially for sites that enable the add‑on to improve image loading speed.

Security researchers at Defiant, the makers of Wordfence, reported more than 170 active exploitation attempts, a figure that likely underrepresents the true scale given the stealthy nature of file‑upload attacks. The high CVSS score of 9.8 reflects both the ease of exploitation and the severity of possible outcomes, ranging from data theft to complete site hijack. For businesses that rely on WordPress for e‑commerce or content delivery, a breach can translate into lost revenue, brand damage, and regulatory fallout, making timely remediation a top priority.

Cloudways responded quickly, releasing version 2.4.5 that adds strict file‑type checks and disables the vulnerable gravatar functionality by default. Administrators should verify they are running the patched version, or temporarily disable the “Host Files Locally – Gravatars” setting if an upgrade is not feasible. This incident serves as a reminder that even well‑intentioned performance plugins can become vectors for compromise, reinforcing the need for continuous vulnerability monitoring, automated patch management, and a layered defense strategy across the WordPress ecosystem.