A critical file upload vulnerability in the Breeze Cache plugin allows unauthenticated attackers to achieve remote code execution.

The fetch_gravatar_from_remote function lacks file type validation, allowing unauthenticated attackers to upload malicious files to the server.

Successful exploitation allows for the execution of arbitrary code on the server, potentially leading to full site compromise, data theft, and defacement. Given the CVSS score of 9.8, this is a critical threat to the integrity and availability of the WordPress site.

Immediate Action: Update the Breeze Cache plugin to the latest version.

Proactive Monitoring: Inspect the uploads directory for suspicious files, particularly executable scripts (e.g., .php files) that should not be present.

Compensating Controls: Disable the "Host Files Locally - Gravatars" feature if an immediate update is not possible, as this mitigates the attack vector.

Public Exploit Available: false

Apply the update immediately. If the "Host Files Locally - Gravatars" feature is currently enabled, it should be disabled until the plugin is patched to prevent immediate exploitation.