Blog Details

Hackers are actively exploiting a severe vulnerability within the Bound Cache plugin for WordPress that lets in importing arbitrary details on the server with out authentication.

The safety arena is tracked as CVE-2026-3844 and has been leveraged in higher than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem.

The Bound Cache WordPress caching plugin from Cloudways has higher than 400,000 active installations and is designed to toughen efficiency and loading velocity by lowering page load frequency by diagram of caching, file optimization, and database cleanup.

The vulnerability bought a severe severity gain of 9.8 out of 10 and used to be chanced on and reported by security researcher Hung Nguyen (bashu).

Researchers at WordPress security firm Defiant, the developer of Wordfence, teach that the whisper stems from lacking file-form validation within the ‘fetch_gravatar_from_remote’ characteristic.

This enables an unauthenticated attacker to upload arbitrary details to the server, which would possibly perchance lead to some distance away code execution (RCE) and full online page takeover.

Alternatively, a success exploitation is most likely only if the “Host Recordsdata In the neighborhood – Gravatars” add-on is turned on, which is rarely the default instruct, the researchers teach.

CVE-2026-3844 affects all Bound Cache variations as much as and including 2.4.4. Cloudways mounted the flaw in version 2.4.5, released earlier this week.

In accordance with statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the open of the most standard version. It is unclear what number of net sites are vulnerable, although, because there isn’t any details on the amount that have the Host Recordsdata In the neighborhood – Gravatars enabled.

Given the active exploitation place of residing, online page dwelling owners/admins who rely on Bound Cache to raise efficiency are advised to toughen to the most standard version of the plugin as soon as most likely or temporarily disable it.

If upgrading is for the time being now not most likely, admins ought to detached a minimal of disable the “Host Recordsdata In the neighborhood – Gravatars.”