High severity7.5NVD Advisory· Published Dec 18, 2025· Updated Apr 15, 2026

CVE-2025-14437

Description

The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.

Affected products

WordPress/Hummingbird Performanceinferred
Range: <=3.18.0
Package: https://wordpress.org/plugins/hummingbird-performance

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3421187/hummingbird-performancenvd
www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.025
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000