High

Sensitive Information Exposure in WordPress Hummingbird Performance api-debug.log

IdentifiersCVE-2025-14437CWE-200

CVE-2025-14437 is a sensitive information exposure vulnerability in the Hummingbird Performance plugin for WordPress affecting all versions up to and including 3.18.0. The issue is associated with the plugin's request functionality and results in API debug data being written to a publicly accessible log file under /wp-content/wphb-logs/api-debug.log. Available evidence shows that this log can contain full outbound request details to third-party services, including Cloudflare API headers and credentials such as X-Auth-Key, X-Auth-Email, and Bearer authorization tokens. Because the log file is web-accessible, an unauthenticated remote attacker can retrieve it directly over HTTP and extract sensitive secrets without needing to compromise WordPress authentication.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation exposes sensitive operational secrets stored in the debug log, including Cloudflare API credentials and related request metadata. Depending on the privileges associated with the leaked credentials, an attacker may gain unauthorized access to Cloudflare-managed resources, perform API actions against the victim's Cloudflare account, enumerate zones, modify configuration, or pivot into broader infrastructure abuse. At minimum, the vulnerability results in confidentiality loss of secrets and internal request data; in practice, it may enable follow-on compromise of external services integrated with the affected WordPress instance.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, block external HTTP access to /wp-content/wphb-logs/ and specifically /wp-content/wphb-logs/api-debug.log at the web server, CDN, or WAF layer. Disable API debugging or any plugin feature that records request and authorization data to disk. Remove existing debug logs from the document root, restrict filesystem permissions, and monitor for requests to the exposed path as an indicator of compromise. As a precaution, rotate any credentials that may have been logged and audit Cloudflare account activity for unauthorized use.

Remediation

Patch, then assume compromise.

Update the Hummingbird Performance plugin to a version newer than 3.18.0 if a vendor fix is available. Remove or disable the vulnerable behavior that writes sensitive API request data to a web-accessible log file. Delete any exposed /wp-content/wphb-logs/api-debug.log files and review the entire wphb-logs directory for additional leaked material. Rotate all credentials that may have been exposed, including Cloudflare X-Auth-Key values, API tokens, bearer tokens, and associated service credentials. Review web server configuration to ensure log and debug artifact directories under wp-content are not directly accessible over HTTP.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

nuclei templates pull requestsNews

Mar 26, 2026

Create CVE-2025-14437.yaml by pussycat0x · Pull Request #15703 · projectdiscovery/nuclei-templates · GitHub

An exposed debug log file vulnerability in a WordPress WPHB-related path that can disclose sensitive API credentials and tokens via /wp-content/wphb-logs/api-debug.log.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9