Hackers Exploit File Upload Bug in Breeze Cache WordPress Plugin

Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress, according to a report published by BleepingComputer. The flaw allows attackers to upload arbitrary files to a server without any authentication, meaning no login or credentials are required to trigger it.

What happened

The Breeze Cache plugin, developed by Cloudways to improve WordPress site performance, contains a critical file upload vulnerability. Attackers can exploit this flaw remotely and without authentication to place arbitrary files on the web server. In practice, this typically means uploading a web shell: a malicious script that gives attackers persistent, interactive control over the compromised server.

Active exploitation has been confirmed in the wild, which means this is not a theoretical risk. Real attackers are scanning for vulnerable sites and taking advantage of unpatched installations right now. If your WordPress site runs Breeze Cache and you have not updated it, you should treat this as an urgent issue.

Why this matters to small teams

For solo developers and small startups, WordPress is often the backbone of a marketing site, documentation portal, or even a product landing page. Plugins are installed quickly, sometimes forgotten, and rarely audited. A plugin like Breeze Cache is appealing precisely because it is low-friction, but that same hands-off relationship means updates get skipped.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

An unauthenticated file upload vulnerability is about as severe as web vulnerabilities get. There is no barrier for the attacker: no need to phish a password, bypass two-factor authentication, or find a logged-in session to hijack. Any internet-facing WordPress site with a vulnerable version of Breeze Cache installed is exposed. A successful exploit gives an attacker code execution on your server, which can lead to data theft, ransomware deployment, spam injection, or your site being used to attack others.

Small teams often share hosting infrastructure across multiple projects. A single compromised site on a shared server can cascade into broader damage. When you are the only developer, incident response falls entirely on you, making prevention far cheaper than recovery.

How to stay protected

Update Breeze Cache immediately. Log into your WordPress admin dashboard, go to Plugins, and check for an available update to Breeze Cache. Install it without delay. If an update is not yet available, consider deactivating the plugin temporarily until a patch is released.
Audit all installed plugins. Take 10 minutes to review every active and inactive plugin on your WordPress site. Remove anything you no longer use. Inactive plugins can still be exploited if the vulnerable code is present on disk.
Enable a web application firewall (WAF). A WAF can block malicious file upload attempts at the network edge, even before a request reaches WordPress. Services like Cloudflare, Sucuri, and Wordfence all offer WAF options for WordPress.
Monitor for unexpected files. Check your web root and uploads directory for files you did not place there, especially PHP files in locations like /wp-content/uploads/. Web shells often hide in these directories. File integrity monitoring tools can automate this check.
Restrict direct PHP execution in upload directories. Add a server-level rule (via .htaccess on Apache or a location block in Nginx) to deny execution of PHP files in the WordPress uploads directory. This limits the damage even if a malicious file is successfully uploaded.
Keep regular, tested backups. If an attacker does gain access, a clean and recent backup is your fastest path to recovery. Ensure backups are stored off-server and tested periodically so you know they actually restore correctly.

How UNPWNED helps

UNPWNED scans your site for a range of web security issues that overlap with the risk category this vulnerability represents. Our scanner checks for exposed WordPress configuration signals, outdated or risky plugin indicators, missing security headers, and other surface-level weaknesses that commonly accompany unpatched CMS deployments. While we do not perform authenticated plugin version auditing inside your WordPress admin, our external security checks can flag signs of misconfiguration and missing controls that leave sites like yours more exposed. Among the 1,096 sites we have scanned, the average security score sits at 72 out of 100, which means most sites have meaningful gaps worth addressing before an incident forces the issue.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.