The post New “Pheno” Malware Hijacks Microsoft Phone Link to Steal SMS and OTPs appeared first on Daily CyberSecurity.

Attackers exploit a Breeze Cache flaw (CVE-2026-3844) to upload files without login. Wordfence researchers detected over 170 attacks.

Threat actors are exploiting a critical flaw, tracked as CVE-2026-3844 (CVSS score of 9.8), in the Breeze Cache WordPress plugin, allowing them to upload files to a server without authentication. The vulnerability has already been used in over 170 attack attempts detected by Wordfence.

Breeze Cache is a free WordPress plugin developed by Cloudways that improves website speed and performance. It offers page and browser caching, file minification, Gzip compression, and CDN integration, helping reduce load times and optimize overall site delivery. The plugin is currently installed on over 400,000 websites.

The security researcher Hung Nguyen (bashu) discovered the vulnerability.

“The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘fetch_gravatar_from_remote’ function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.” reads the report published by Wordfence. “The vulnerability can only be exploited if “Host Files Locally – Gravatars” is enabled, which is disabled by default.”

Wordfence researchers say the flaw stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function, allowing unauthenticated attackers to upload arbitrary files. This can lead to remote code execution and full site takeover. According to the advisory, the exploitation is only possible if the “Host Files Locally – Gravatars” option is enabled. The issue affects Breeze Cache up to version 2.4.4 and is fixed in version 2.4.5.

Since the vulnerability is actively exploited, Breeze Cache users should update to the latest version immediately or disable the plugin temporarily.

At the time of this writing, Wordfence reported that it had blocked 3,936 attacks targeting this vulnerability in the past 24 hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Breeze Cache plugin)

Timeline of the Kali Forms Vulnerability in the WordPress Plugin Ecosystem 

• March 2, 2026: Initial submission of the Remote Code Execution flaw via bug bounty reporting. 
• March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection. 
• March 20, 2026: Patched version released; vulnerability publicly disclosed; attackers began exploiting the same day. 
• April 4, 2026: Free Wordfence users received delayed firewall protection. 
• April 4–10, 2026: Peak exploitation activity observed against the Kali Forms vulnerability. 

Technical Root Cause Behind the Kali Forms Vulnerability

if (isset($this->placeholdered_data['{entryCounter}'])) {    $this->placeholdered_data['{entryCounter}'] =        call_user_func($this->placeholdered_data['{entryCounter}'], $this->post->ID); } 

• {entryCounter} = wp_set_auth_cookie  

• formId = 1  

Active Exploitation of the Kali Vulnerability in Real-world Attacks 

POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=66ddddb2b7& data[entryCounter]=wp_set_auth_cookie 

• Over 312,200 exploit attempts were blocked targeting the Kali Forms vulnerability. 
• Heavy targeting was observed immediately after March 20, 2026 disclosure. 
• Increased spike in activity between April 4 and April 10, 2026. 

Top Attacking IP Addresses Observed 

• 209.146.60.26 – over 152,000 blocked requests  
• 49.156.40.126 – over 50,000  
• 124.248.183.139 – over 26,000  
• 202.56.2.126 – over 14,000  
• 130.12.182.154 – over 11,000  
• 104.28.160.197 – over 9,000  
• 1.53.114.181 – over 5,700  
• 157.15.40.74 – over 3,000  
• 114.10.99.126 – over 2,500  
• 83.147.12.83 – over 1,300  

An unauthenticated SQL injection flaw (CVE-2026-2413) in the Ally WordPress plugin, used on 400K+ sites, could allow attackers to steal sensitive data.

An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on February 4, 2026.

Ally (formerly One Click Accessibility) is a free WordPress plugin that helps creators build accessible websites. It offers an accessibility scanner with AI suggestions, a usability widget for visitors, and an automated accessibility statement generator. The plugin is used on over 400,000 WordPress sites.

The flaw could allow attackers to extract sensitive database data, including password hashes. The issue was responsibly reported by Drew Webber through the Wordfence Bug Bounty Program, earning an $800 bounty. Wordfence notified Elementor on February 13, the vendor acknowledged the report on February 15, and released a patch on February 23, 2026.

Users are urged to update to Ally version 4.1.0 to mitigate the risk.

The vulnerability stems from insecure handling of the subscribers query in Ally. The plugin builds a SQL JOIN query using a page URL parameter without using WordPress’ wpdb->prepare() function, which normally escapes and parameterizes queries.

Although esc_url_raw() is used, it does not prevent SQL injection. This flaw allows attackers to inject malicious SQL. By exploiting it with time-based blind SQL injection, using CASE statements and SLEEP() delays, an attacker could gradually extract sensitive information from the database.

“The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3.” reads the advisory published by WordFence. “This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. “

The development team addressed the issue by using the wpdb prepare() function in the JOIN statement.

“The vulnerability has been addressed in version 4.1.0 of the plugin.” concludes the advisory. “We encourage WordPress users to verify that their sites are updated to the latest patched version of Ally as soon as possible considering the critical nature of this vulnerability.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)