Security Bulletin for 28 June 2026: Actively Exploited Remote Code Execution in the Breeze Cache Plugin, an Authentication Bypass in Burst Statistics and an Unauthenticated Flaw in WP Travel Engine

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 28 June 2026 we highlight three plugin vulnerabilities, the first of which — a critical flaw in the Breeze cache plugin — is already being actively exploited for full server takeover and therefore deserves particular attention.

CVE-2026-3844 — Unauthenticated File Upload with Code Execution in the Breeze Cache Plugin (critical)

The Breeze caching plugin developed by Cloudways, which improves loading times on more than 400,000 WordPress sites, contains a critical vulnerability in all versions up to and including 2.4.4 that allows unauthenticated attackers to upload arbitrary files to the server. The cause is the fetch_gravatar_from_remote routine, which downloads Gravatar images from an external address and stores them in the upload directory but checks neither the file type nor the content of the downloaded file. If an attacker controls the source address, a PHP file can be written this way — instead of an image — into a directory where script execution is permitted, turning a plain file upload into full code execution and thus into a takeover of the site. The National Vulnerability Database carries the rating of 9.8 assigned by Wordfence, classifies the flaw as critical and assigns it to weakness class CWE-434 (unrestricted upload of file with dangerous type). Exploitation requires the add-on for storing Gravatar images locally to be enabled; while this is switched off by default, it may be pre-enabled on managed hosting plans, so operators who never opened the plugin’s settings can still be affected. The flaw has been fixed since 22 April 2026 in version 2.4.5.

The reason we are highlighting this spring-patched flaw today is its continued active exploitation: Wordfence records a large number of attack attempts specifically targeting this vulnerability. Operators should therefore update Breeze to version 2.4.5 or newer without delay, or temporarily deactivate the plugin. Where that is not immediately possible, the local Gravatar storage function mentioned above should at least be turned off. In addition, it is advisable to inspect the upload directory (in particular /wp-content/uploads/breeze/) for unexpected files with extensions such as .php, .phtml or .phar, since a successful attack may have left a persistent backdoor that a mere update does not remove.

Sources: National Vulnerability Database — CVE-2026-3844 · Wordfence — Breeze CVE-2026-3844

CVE-2026-8181 — Authentication Bypass with Administrator Takeover in Burst Statistics (critical)

Burst Statistics, an analytics plugin used as a privacy-friendly alternative to Google Analytics on around 200,000 sites, contains a critical authentication bypass vulnerability in versions 3.4.0 up to and including 3.4.1.1. The cause is a flaw in the is_mainwp_authenticated function, which is meant to validate the application password supplied in the Authorization header as part of the MainWP integration, but whose return value is wrongly treated as a successful login on the error path. As a result, an unauthenticated attacker merely needs to know an administrator’s username to impersonate that administrator for the duration of the request — any made-up password is accepted. The National Vulnerability Database carries the rating of 9.8 assigned by Wordfence, classifies the flaw as critical and assigns it to weakness class CWE-287 (improper authentication). The vulnerability has been fixed since 12 May 2026 in version 3.4.2; here too, according to Wordfence, attacks are already occurring at considerable scale. Operators should update Burst Statistics to version 3.4.2 or newer without delay and, where a takeover is suspected, review the user accounts and sessions of their WordPress installation.

Sources: National Vulnerability Database — CVE-2026-8181 · Wordfence — Burst Statistics CVE-2026-8181

CVE-2026-49078 — Unauthenticated Flaw in WP Travel Engine (high)

WP Travel Engine, a booking plugin used on travel and tour websites, contains a vulnerability in all versions up to and including 6.7.10 that can be exploited without any login and stems from insufficient validation of supplied input values. An attacker can reach the vulnerable code path over the network and without any user interaction; the impact centres on the integrity of the data managed by the plugin. The assigning authority, Patchstack, rates the vulnerability at 7.5 and thus classifies it as high; it is assigned to weakness class CWE-1284 (improper validation of specified quantity in input). The flaw has been fixed in version 6.7.11. Because Patchstack lists further fixes for the 6.7.x line, operators should update not only to 6.7.11 but to the latest available version.

Sources: National Vulnerability Database — CVE-2026-49078 · Patchstack — WP Travel Engine

Not sure whether you’re affected? Get in touch.

---

This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.