Critical flaw in WordPress plugin under active attack

A critical vulnerability in the Breeze Cache plugin for WordPress, with over 400,000 active installations, is under active exploitation. The flaw, CVE-2026-3844, is an unauthenticated file upload bug with a severity score of 9.8/10 that can lead to remote code execution. Security firm Wordfence has detected over 170 exploitation attempts since the vulnerability was disclosed. Cloudways has released a patch in version 2.4.5, but only 138,000 sites have updated, leaving hundreds of thousands vulnerable unless they upgrade or disable the plugin.