Description
The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
Published: 2025-12-18
Score: 7.5 High
EPSS: 45.4% Moderate
KEV: No
Impact: Sensitive Information Exposure
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Hummingbird Performance plugin allows unauthenticated attackers to read sensitive files, including Cloudflare API credentials, via the plugin's request function. This results in direct exposure of confidential data that could be leveraged to compromise the WordPress site.

Affected Systems

All instances of wpmudev's Hummingbird Performance plugin through version 3.18.0 are affected. The plugin is installed on WordPress sites that have not been updated beyond this version.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as moderate severity, yet the EPSS score of 50% indicates a high probability of exploitation. Attackers can trigger the flaw through an unauthenticated HTTP request to the plugin’s request function, without needing any credentials. Although it is not yet listed in the CISA KEV catalog, the elevated EPSS stresses the importance of prompt remediation.

Generated by OpenCVE AI on April 21, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hummingbird Performance to version 3.18.1 or later.
  • If an upgrade is not possible at present, disable or uninstall the Hummingbird Performance plugin to remove the exposed request function.
  • Should credentials have been exposed prior to patching, rotate the affected Cloudflare API keys and audit the WordPress configuration for other compromised secrets.

Generated by OpenCVE AI on April 21, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev hummingbird
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev hummingbird

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 12:30:00 +0000

Type Values Removed Values Added
Description The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
Title Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpmudev Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:06.678Z

Reserved: 2025-12-10T11:11:27.633Z

Link: CVE-2025-14437

cve-icon Vulnrichment

Updated: 2025-12-18T14:35:15.955Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T13:15:47.373

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses