TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Wordfence Blog

Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin

István Márton · 1 day ago · Read original ↗

ATT&CK techniques detected

8 predictions
T1190Exploit Public-Facing Application
97%
“attackers actively exploiting critical vulnerability in breeze cache plugin on april 22nd, 2026, we publicly disclosed a critical arbitrary file upload vulnerability in breeze cache, a wordpress plugin with an estimated 400, 000 active installations. this vulnerability can be lev…”
T1190Exploit Public-Facing Application
91%
“##xsw. php or wp - array _ merge - mnbvcx. php. you should be able to see patterns like that in your access log files. wordfence firewall the following graphic demonstrates the steps to exploitation an attacker might take and at which point the wordfence firewall would block an a…”
T1190Exploit Public-Facing Application
90%
“##ed version of breeze cache, version 2. 4. 5 at the time of this writing, as soon as possible. we covered this exploitation campaign in our most recent episode of wordfence security news — watch it below for a quick rundown. vulnerability summary from wordfence intelligence bree…”
T1505.003Web Shell
82%
“use of webshells and other techniques. it is important to note that this vulnerability can only be exploited when the “ host files locally – gravatars ” option is enabled in the plugin ’ s settings, which is disabled by default. a closer look at the attack data the following data…”
T1190Exploit Public-Facing Application
69%
“response plans. both plans come with a thorough malware investigation, malware cleanup, and post - incident search engine security cleanup. with wordfence care, you ’ ll receive expert support during business hours. wordfence response offers a 1 - hour response time and incident …”
T1190Exploit Public-Facing Application
57%
“use of webshells and other techniques. it is important to note that this vulnerability can only be exploited when the “ host files locally – gravatars ” option is enabled in the plugin ’ s settings, which is disabled by default. a closer look at the attack data the following data…”
T1190Exploit Public-Facing Application
46%
“. 166. 212. 28 124. 248. 183. 139 54. 151. 154. 70 128. 241. 254. 194 166. 88. 96. 13 43. 134. 189. 190 209. 141. 32. 143 178. 63. 40. 249 192. 99. 151. 197 conclusion in today ’ s article, we covered the attack data for a critical - severity arbitrary file upload vulnerability i…”
T1204.002Malicious File
37%
“, or the author name in the case of comment avatars, an unauthenticated attacker is able to inject an attacker - controlled url into the alt attribute by leaving a comment with an author name set to a url pointing to a malicious file. once the comment is rendered and the gravatar…”

Summary

On April 22nd, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Breeze Cache, a WordPress plugin with an estimated 400,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files, including PHP backdoors, and achieve remote code execution. The vendor released the fully patched version on April 21st, 2026. Our records indicate that attackers started exploiting the issue the same day the vulnerability was disclosed in the Wordfence Intelligence vulnerability database - April 22nd, 2026. The Wordfence Firewall has already blocked over 30,000 exploit attempts targeting this vulnerability.

The post Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin appeared first on Wordfence.