CVE-2025-14437

HIGH EXPLOITED NUCLEI

Hummingbird Performance <3.18.0 - Info Disclosure

Title source: llm

Description

The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.

Nuclei Templates (2)

SureForms <= 1.13.1 - Sensitive Information Exposure

MEDIUMVERIFIEDby pussycat0x

Shodan: http.html:"/wp-content/plugins/sureforms/"

FOFA: body="/wp-content/plugins/sureforms/"

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

HIGHVERIFIEDby pussycat0x

Shodan: http.html:"/wp-content/plugins/hummingbird-performance"

FOFA: body="/wp-content/plugins/hummingbird-performance"

References (2)

[Product] https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve

Scores

CVSS v3 7.5

EPSS 0.4537

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2026-04-01

CWE

CWE-532

Status published

Products (1)

wpmudev/Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN < 3.18.0

Published Dec 18, 2025

Tracked Since Feb 18, 2026