Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to unauthenticated arbitrary file upload flaws that can lead to remote code execution and full site compromise. The most urgent case involves the Breeze Cache plugin, where CVE-2026-3844 affects versions through 2.4.4 when the optional "Host Files Locally - Gravatars" feature is enabled. Researchers said the bug stems from missing file-type validation in the fetch_gravatar_from_remote function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version 2.4.5, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete.
Two additional Contact Form 7 upload extensions were also disclosed with critical upload weaknesses. CVE-2026-5718 affects Drag and Drop Multiple File Upload for Contact Form 7 through 1.3.9.6, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. CVE-2026-5364 affects Drag and Drop File Upload for Contact Form 7 through 1.1.3, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as $; researchers noted that .htaccess protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
Timeline
Apr 24, 2026
CVE-2026-5364 disclosed in Drag and Drop File Upload for Contact Form 7
A separate unauthenticated arbitrary file upload flaw, CVE-2026-5364, was disclosed in Drag and Drop File Upload for Contact Form 7 versions up to 1.1.3. The bug involves validation of an unsanitized extension before saving a sanitized filename, enabling PHP upload in some scenarios despite mitigations such as .htaccess and randomized filenames.
Apr 23, 2026
Active exploitation of Breeze Cache bug observed in the wild
Hackers were reported to be actively exploiting CVE-2026-3844, with Wordfence detecting more than 170 exploitation attempts. Successful attacks could lead to remote code execution and full WordPress site takeover on affected installations.
Apr 23, 2026
Cloudways releases Breeze Cache 2.4.5 patch
Cloudways patched the Breeze Cache arbitrary file upload vulnerability by releasing version 2.4.5. Administrators were advised to update immediately or disable the vulnerable Gravatar-hosting feature if they could not patch at once.
Apr 23, 2026
Breeze Cache file upload flaw disclosed as CVE-2026-3844
A critical unauthenticated arbitrary file upload vulnerability affecting Breeze Cache versions up to 2.4.4 was disclosed and assigned CVE-2026-3844. The issue was attributed to missing file-type validation in the plugin's fetch_gravatar_from_remote function and requires the optional "Host Files Locally - Gravatars" setting to be enabled.
Apr 17, 2026
CVE-2026-5718 disclosed in Drag and Drop Multiple File Upload plugin
CVE-2026-5718 was disclosed for Drag and Drop Multiple File Upload for Contact Form 7 versions up to 1.3.9.6. The vulnerability combines improper blacklist handling with a non-ASCII filename sanitization bypass, allowing unauthenticated arbitrary file upload and possible remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
Active Exploitation of Ninja Forms File Uploads Flaw Enables WordPress RCE
Attackers are actively exploiting **CVE-2026-0740**, a critical unauthenticated arbitrary file upload flaw in the **Ninja Forms File Uploads** premium add-on for WordPress that can lead to **remote code execution** and full site compromise. The vulnerability affects versions through `3.3.26` and stems from improper validation of file types and extensions in destination filenames, combined with missing filename sanitization that allows path traversal and placement of malicious PHP files in the webroot or other sensitive directories. Wordfence said it blocked more than **3,600** exploitation attempts in a 24-hour period and warned that attackers could use the bug to deploy web shells and take over vulnerable sites. Researcher **Sélim Lanouar** discovered the issue through Wordfence’s bug bounty program, and the vendor released a full fix in version `3.3.27` after an earlier partial remediation. Organizations using the add-on, which is deployed across more than **90,000** customer environments, have been urged to upgrade immediately.
3 weeks ago
Critical WordPress Form Plugin Flaws Enable Unauthenticated Server Compromise
Two high-severity vulnerabilities were disclosed in widely used WordPress form plugins, exposing sites to unauthenticated attacks that can lead to full server compromise. **CVE-2026-4347** affects **MW WP Form** through version `5.1.0` and stems from insufficient file path validation in `generate_user_filepath` and `move_temp_file_to_upload_dir`. An attacker can move arbitrary files on the server without authentication, and if a sensitive file such as `wp-config.php` is relocated, the flaw can be leveraged for remote code execution. Exploitation requires a form with a file upload field and the **Saving inquiry data in database** option enabled; the issue is tracked as **CWE-22**.
3 weeks ago