CVE-2023-1478 – The Hummingbird WordPress plugin before version... (How to Fix)

Q: What is the severity of CVE-2023-1478?

CVE-2023-1478 has a CVSS score of 9.8 (CRITICAL). The Hummingbird WordPress plugin before version 3.4.2 has a path traversal vulnerability in its page cache module. Attackers can write arbitrary files to any location on the server, potentially leading to remote code execution. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

The Hummingbird WordPress plugin before version 3.4.2 has a path traversal vulnerability in its page cache module. Attackers can write arbitrary files to any location on the server, potentially leading to remote code execution. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Hummingbird WordPress Plugin

Versions: All versions before 3.4.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the page cache module to be enabled in the plugin settings.

📦 What is this software?

Hummingbird by Incsub

View all CVEs affecting Hummingbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, or website defacement.

🟠

Likely Case

Arbitrary file write allowing attackers to upload malicious files like web shells or modify existing files.

🟢

If Mitigated

Limited impact if file permissions restrict write access to critical directories.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and vulnerable to unauthenticated attacks.

🏢 Internal Only: LOW - This primarily affects public-facing web applications.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.2

Vendor Advisory: https://wpscan.com/vulnerability/512a9ba4-01c0-4614-a991-efdc7fe51abe

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Hummingbird and click 'Update Now'. 4. Verify version is 3.4.2 or higher.

🔧 Temporary Workarounds

Disable Page Cache Module

all

Temporarily disable the vulnerable page cache module until patching is possible.

Navigate to Hummingbird → Caching → Page Cache → Disable

Disable Plugin

all

Completely disable the Hummingbird plugin if not essential.

Navigate to Plugins → Installed Plugins → Hummingbird → Deactivate

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block path traversal attempts.
Restrict file permissions on web directories to prevent arbitrary file writes.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Hummingbird version. If version is below 3.4.2 and page cache is enabled, the system is vulnerable.

Check Version:

wp plugin get hummingbird-performance --field=version (if WP-CLI is installed)

Verify Fix Applied:

Verify Hummingbird plugin version is 3.4.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in web server logs
Requests containing '../' patterns to cache endpoints

Network Indicators:

HTTP requests to /wp-content/plugins/hummingbird-performance/cache/ with path traversal sequences

SIEM Query:

web.url:*hummingbird*cache* AND web.url:*..*

📊 Metadata

CVE ID: CVE-2023-1478

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: April 10, 2023

Last Updated: February 11, 2025

🔗 References

https://wpscan.com/vulnerability/512a9ba4-01c0-4614-a991-efdc7fe51abe Exploit,Third Party Advisory
https://wpscan.com/vulnerability/512a9ba4-01c0-4614-a991-efdc7fe51abe Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1478, you might also want to check these: