WordPress Plugin Vulnerabilities

Hummingbird < 3.9.2 - Missing Authorization

Description

The Hummingbird plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clear_module_cache() function in versions up to, and including, 3.9.1. This makes it possible for authenticated attackers, with contributor-level access and above, to clear module cache.

Affects Plugins

Plugin icon
hummingbird-performance
Fixed in 3.9.2

References

CVE
CVE-2024-43118
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a68dac5d-b07b-40c1-aad1-73e2c8d0f927

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
03f57835-3e77-448f-ab12-85a2a3a6efb7

Timeline

Publicly Published
2024-08-07 (about 1 year ago)
Added
2024-08-14 (about 1 year ago)
Last Updated
2024-08-14 (about 1 year ago)

Other

Published
Title
Published
2026-02-08
Title
Coachify < 1.1.6 - Missing Authorization
Published
2025-12-12
Title
Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure
Published
2023-11-09
Title
Ultimate Addons for Contact Form 7 < 3.2.11 - Missing Authorization
Published
2023-10-03
Title
Redirection for Contact Form 7 < 3.0.0 - Missing Authorization
Published
2022-03-29
Title
myCred < 2.4.4 - Subscriber+ Arbitrary Post Creation