嗯,用户让我总结这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读文章,抓住关键点。 文章主要讲的是Breeze Cache插件的一个漏洞(CVE-2026-3844),这个漏洞被黑客利用,导致超过40万网站面临风险。攻击者可以上传文件而不登录,Wordfence检测到170多次攻击。插件的开发者是Cloudways,它帮助提高网站速度。漏洞是由Hung Nguyen发现的,存在于所有版本到2.4.4,已修复在2.4.5。用户应该立即更新或禁用插件。 现在,我需要把这些信息浓缩到100字以内。重点包括:漏洞名称、影响范围、攻击方式、检测次数、插件功能、发现者、影响版本、修复版本以及建议措施。 可能的结构:Breeze Cache插件存在严重漏洞(CVE-...),允许黑客上传文件并控制网站。该插件安装在40多万网站上。Wordfence检测到170多次攻击。漏洞存在于2.4.4及以下版本,已修复于2.4.5。建议用户立即更新或禁用。 检查字数是否在限制内,并确保信息准确无误。 </think> Breeze Cache WordPress插件存在严重漏洞(CVE-2026-3844),允许黑客上传任意文件并控制网站。该插件安装在超40万网站上,已有170多次攻击被检测到。漏洞影响版本2.4.4及以下,已修复于2.4.5版本中。建议用户立即更新或禁用插件以避免风险。 2026-4-25 14:22:33 Author: securityaffairs.com(查看原文) 阅读量:26 收藏
Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844)
Attackers exploit a Breeze Cache flaw (CVE-2026-3844) to upload files without login. Wordfence researchers detected over 170 attacks.
Threat actors are exploiting a critical flaw, tracked as CVE-2026-3844 (CVSS score of 9.8), in the Breeze Cache WordPress plugin, allowing them to upload files to a server without authentication. The vulnerability has already been used in over 170 attack attempts detected by Wordfence.
Breeze Cache is a free WordPress plugin developed by Cloudways that improves website speed and performance. It offers page and browser caching, file minification, Gzip compression, and CDN integration, helping reduce load times and optimize overall site delivery. The plugin is currently installed on over 400,000 websites.
The security researcher Hung Nguyen (bashu) discovered the vulnerability.
“The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘fetch_gravatar_from_remote’ function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.” reads the report published by Wordfence. “The vulnerability can only be exploited if “Host Files Locally – Gravatars” is enabled, which is disabled by default.”
Wordfence researchers say the flaw stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function, allowing unauthenticated attackers to upload arbitrary files. This can lead to remote code execution and full site takeover. According to the advisory, the exploitation is only possible if the “Host Files Locally – Gravatars” option is enabled. The issue affects Breeze Cache up to version 2.4.4 and is fixed in version 2.4.5.
Since the vulnerability is actively exploited, Breeze Cache users should update to the latest version immediately or disable the plugin temporarily.
At the time of this writing, Wordfence reported that it had blocked 3,936 attacks targeting this vulnerability in the past 24 hours.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Breeze Cache plugin)
如有侵权请联系:admin#unsafe.sh