A vulnerability has been identified in the Breeze Cache plugin affecting versions up to 2.4.4. The issue allows unauthenticated users to upload arbitrary files under certain conditions, leading to remote code execution.
Cloudways customers are not impacted by this issue unless they have explicitly disabled Cloudways platform safeguards by enabling direct PHP file access.
Are You at Risk?
Cloudways Customers
- This vulnerability is not active by default. It depends on a specific configuration being enabled.
- Your site is at risk only if all these conditions are met:
- You have enabled direct PHP file access in the Cloudways platform console.
- You are using Breeze version <= 2.4.4.
- The “Host Files Locally – Gravatars” feature is enabled in the Breeze admin area.
Non-Cloudways Breeze Users
- This vulnerability is not active by default. It depends on a specific feature being enabled.
- Your site is at risk only if all these conditions are met:
- You are using Breeze version <= 2.4.4.
- The “Host Files Locally – Gravatars” feature is enabled in the Breeze admin area.
For Cloudways customers, this issue was automatically virtually patched through default platform-level safeguards that prevent this attack path unless safeguards are explicitly disabled by enabling direct PHP file access.
For users not hosted on Cloudways, exploitation requires an off-by-default configuration to be enabled, so exposure is likely limited.
Patch Status
The root cause of the issue has also been patched in the latest version of the plugin.
Breeze version 2.4.5 includes the mitigation and checks to eliminate the root cause. We strongly recommend updating to this version to mitigate any probable residual risk. This advisory applies to all Breeze users, especially sites hosted outside Cloudways platform.
Timeline
- Patch released in version 2.4.5 on April 21, 2026
- Publicly disclosed on April 22, 2026
Recommended Action for Cloudways Users
If you have not disabled the platform security defaults as mentioned above, your site remains protected. However, you should still update to version 2.4.5 or later. This ensures your application layer aligns with the patched codebase and avoids future exposure. Moreover you should also consider deleting all unnecessary and suspicious files, if any in `/wp-content/cache/breeze-extra/gravatars/`as a cleanup measure.
General Remediation and Verification
- Log in to your WordPress dashboard
- Navigate to Plugins > Installed Plugins
- Locate Breeze
- Click Update to install version 2.4.5 or later
Alternative Mitigation
If you cannot update immediately:
- Go to Breeze settings > Advanced Settings
- Disable/toggle off Gravatars (this is disabled by default)
This configuration disables the vulnerable component.
Verification
After updating:
- Confirm that the installed version is 2.4.5 or higher
- Review your WordPress directory for unexpected files. In particular, delete all unnecessary and suspicious files in the /wp-content/cache/breeze-extra/gravatars/ directory. This applies to both sites hosted on Cloudways and other platforms.
Key Takeaways
- The vulnerability allows unauthenticated file uploads under specific conditions. It is fixed in version 2.4.5
- Risk depends on specific configurations
- Cloudways-hosted sites are not impacted due to default platform safeguards, unless explicitly disabled by the end user as explained above.
Most of the Breeze users are already hosted on Cloudways. As such, the affected number of applications is potentially very low.
FAQ
Is my site vulnerable if I never enabled Gravatar hosting?
No. The exploit path requires that feature to be enabled.
Do I need to take action if I’m on Cloudways?
Your site is protected unless platform safeguards are explicitly disabled by the end user. Update the plugin as a best practice.
How urgent is this update?
We strongly recommend non-Cloudways customers to upgrade immediately. Websites hosted on Cloudways remain protected unless platform safeguards are explicitly disabled by the end user as explained above. However, the Breeze plugin should be updated to the latest version as soon as possible as a best practice and to mitigate any probable residual risk.
Zafar Iqbal
Zafar Iqbal is a Senior Technical Writer who's spent the last decade making server products, WordPress, and SaaS platforms actually make sense to people. As someone who lives at the intersection of tech and marketing, he loves turning complicated technical concepts into insights that help people make the right business decisions. When he's not demystifying managed hosting infrastructure, he's tinkering with his hobby projects.
