CVE-2024-32792 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-32792?

CVE-2024-32792 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the WPMU DEV Hummingbird WordPress plugin. It allows unauthorized users to access functionality intended only for authorized users, potentially leading to unauthorized actions or information disclosure. All WordPress sites using Hummingbird plugin versions up to 3.7.3 are affected.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WPMU DEV Hummingbird WordPress plugin. It allows unauthorized users to access functionality intended only for authorized users, potentially leading to unauthorized actions or information disclosure. All WordPress sites using Hummingbird plugin versions up to 3.7.3 are affected.

💻 Affected Systems

Products:

WPMU DEV Hummingbird WordPress Plugin

Versions: n/a through 3.7.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Hummingbird plugin installed and activated.

📦 What is this software?

Hummingbird by Incsub

View all CVEs affecting Hummingbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could modify plugin settings, clear caches, or access performance data, potentially disrupting site functionality or gaining insights into site configuration.

🟠

Likely Case

Low-privileged users could access administrative plugin features they shouldn't have access to, though impact is limited to plugin functionality.

🟢

If Mitigated

With proper user role management and network segmentation, impact would be minimal as the vulnerability only affects plugin-specific functionality.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of WordPress user access, but specific authorization checks are missing for certain plugin functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/hummingbird-performance/wordpress-hummingbird-plugin-3-7-3-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Hummingbird Performance. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.7.4+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Hummingbird Plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate hummingbird-performance

Restrict Plugin Access

all

Use WordPress role management to restrict who can access plugin settings

🧯 If You Can't Patch

Implement strict user role management to minimize users with plugin access
Monitor plugin-related activity logs for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Hummingbird Performance version

Check Version:

wp plugin get hummingbird-performance --field=version

Verify Fix Applied:

Verify Hummingbird plugin version is 3.7.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unauthorized users accessing /wp-admin/admin.php?page=wphb* endpoints
Plugin configuration changes from non-admin users

Network Indicators:

HTTP requests to Hummingbird admin endpoints from unauthorized IPs/users

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string CONTAINS "page=wphb") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-32792

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: June 9, 2024

Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32792, you might also want to check these: