Unauthenticated file upload in Breeze Cache exposes millions of WordPress sites to direct compromise
A file upload vulnerability in the widely-installed Breeze Cache WordPress plugin allows attackers to upload arbitrary files without authentication, enabling remote code execution on affected servers. Active exploitation is underway.
Affected
The Breeze Cache plugin for WordPress contains an unauthenticated file upload vulnerability that permits attackers to write arbitrary files to the web server without requiring any credentials or authentication tokens. This is a direct path to remote code execution: an attacker can upload a PHP webshell or other executable content, then access it via the web to gain command execution on the hosting environment.
The technical vector appears to centre on an endpoint or functionality within the plugin that fails to validate the request source, user session, or file type before processing uploads. Given that Breeze Cache is a caching optimisation plugin with >1 million active installations according to WordPress.org, the blast radius is substantial. The plugin's deep integration with WordPress core (cache handling, file system operations) amplifies the severity of successful exploitation.
Active exploitation indicates this vulnerability is known to threat actors in the wild. WordPress sites running vulnerable versions of Breeze Cache should be considered compromised until proven otherwise. Attackers can establish persistence through uploaded backdoors, steal sensitive data, pivot to other systems on the network, or repurpose the server for botnet activity, cryptocurrency mining, or malware distribution.
Immediate action is essential: site administrators must update to a patched version of Breeze Cache as soon as it is available. Until then, WAF rules blocking uploads to plugin directories, rate-limiting against known upload endpoints, and monitoring for PHP files in cache directories can provide interim mitigation. Organisations managing multiple WordPress installations should prioritise this plugin in their vulnerability scanning and update orchestration workflows.
This incident reinforces a structural weakness in the WordPress ecosystem: the reliance on third-party plugins that often receive less security scrutiny than core WordPress. Plugin vulnerabilities with high install counts pose systemic risk to the entire WordPress user base and should trigger the same incident response severity as vulnerabilities in WordPress core itself.
Sources