Hummingbird < 3.4.2 - Unauthenticated Path Traversal

The plugin does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. This allows an attacker to: - Enumerate file system directories where the user who starts the web server process has write access. - Crash the server by generating an endless number of unique queries, which will be saved outside wphb-cache, thus preventing the purge cache functionality from removing cached files from the server file system. - Disable some web application functionalities (like breaking the redirections) because the plugin creates empty index.html in the directory where it saves the cache file. - Write cache files, including index.html to the web application directories on the same server, which may significantly affect availability.

PoC

Note that in order to reproduce this, the web server running WordPress must allow URLs with paths that contain traversal. This is reproducible on Apache 2.4.43. The following curl command will place the cache files in the WordPress web root. curl --path-as-is http://my.site///search///..///..///..///..///..///page