The Breeze Cache plugin for WordPress has a flaw that allows callers to execute the ‘fetch_gravatar_from_remote’ routine without user authentication, thereby bypassing file type validation and enabling the upload of any file type to the server. This missing validation can be exploited when the ‘Host Files Locally – Gravatars’ setting is enabled, a configuration that is disabled by default. Successful exploitation can result in the placement of malicious code on the web server, effectively granting attackers remote code execution. The weakness is categorized as CWE‑434, which captures improper validation of uploaded file types.

The vulnerability exists in all published versions of the Cloudways Breeze Cache plugin for WordPress up to and including version 2.4.4. All installations that have the ‘Host Files Locally – Gravatars’ option turned on are at risk. Systems running the plugin with earlier or later versions are not affected. This flaw is specific to the Breeze Cache plugin and does not affect other plugins or the WordPress core.

The CVSS base score of 9.8 classifies this flaw as critical, while the EPSS score of 20% indicates a non‑negligible likelihood of exploitation. The vulnerability has not been catalogued in the CISA KEV list. Exploitation requires only a remote HTTP request to the fetching endpoint and does not need any user credentials; however, the target must have the plugin installed and the specific gravatar hosting setting enabled. Because file uploads occur in a web‑accessible directory, an attacker who succeeds in uploading a PHP script can run arbitrary code on the server.