CVE-2025-14437

HIGH EXPLOITED NUCLEI

Hummingbird Performance <3.18.0 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2025-14437 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.

Nuclei Templates (2)

SureForms <= 1.13.1 - Sensitive Information Exposure

MEDIUMVERIFIEDby pussycat0x

Shodan: http.html:"/wp-content/plugins/sureforms/"

FOFA: body="/wp-content/plugins/sureforms/"

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

HIGHVERIFIEDby pussycat0x

Shodan: http.html:"/wp-content/plugins/hummingbird-performance"

FOFA: body="/wp-content/plugins/hummingbird-performance"

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve

Scores

CVSS v3 7.5

EPSS 0.3080

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-04-01

CWE

CWE-532

Status published

Products (1)

wpmudev/Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN < 3.18.0

Published Dec 18, 2025

Tracked Since Feb 18, 2026