CVE-2026-4350
Received Received - Intake
Path Traversal in Perfmatters Plugin Allows Arbitrary File Deletion

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: Wordfence

Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4350
EUVD
EUVD-2026-18609
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
perfmatters perfmatters to 2.5.9.1 (inc)
perfmatters perfmatters From 2.4.4 (inc) to 2.6.0 (inc)
perfmatters perfmatters 9.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Perfmatters plugin for WordPress has a vulnerability that allows arbitrary file deletion through path traversal in all versions up to and including 2.5.9.1.

This happens because the method PMCS::action_handler() processes the $_GET['delete'] parameter without sanitizing it, checking authorization, or verifying a nonce.

An attacker with Subscriber-level access or higher can exploit this by using '../' sequences in the filename to delete arbitrary files on the server, including critical files like wp-config.php.

Deleting wp-config.php would force WordPress into the installation wizard, potentially allowing full site takeover.

Impact Analysis

This vulnerability can lead to severe impacts including the deletion of arbitrary files on the server by an authenticated user with low-level access.

Critical files such as wp-config.php can be deleted, which would disrupt the WordPress installation and force it into the installation wizard.

This disruption can allow an attacker to take over the entire site, leading to potential data loss, service downtime, and unauthorized control.

The CVSS score of 8.1 (High) reflects the significant integrity and availability impact of this vulnerability.

Detection Guidance

The vulnerability involves the Perfmatters WordPress plugin processing the 'delete' parameter in the URL without sanitization or authorization checks, allowing arbitrary file deletion via path traversal sequences like '../'. Detection can focus on monitoring HTTP requests to the WordPress site that include suspicious 'delete' parameters with path traversal patterns.

  • Check web server access logs for requests containing 'delete=' parameters with '../' sequences.
  • Use commands like grep to search logs, for example: grep -i 'delete=.*\.\./' /var/log/apache2/access.log
  • Monitor for unexpected deletion of critical files such as 'wp-config.php' or other important WordPress files.
  • Scan the plugin version installed; versions up to and including 2.5.9.1 are vulnerable.
Mitigation Strategies

Immediate mitigation steps include updating the Perfmatters plugin to a version later than 2.5.9.1 where this vulnerability is fixed.

Restrict or monitor authenticated user access, especially for Subscriber-level accounts, to prevent exploitation.

Implement web application firewall (WAF) rules to block requests containing suspicious 'delete' parameters with path traversal sequences.

Review and harden file permissions on the server to limit the ability of the web server process to delete critical files.

Consider temporarily disabling the Perfmatters plugin if immediate update is not possible.

Compliance Impact

The vulnerability in the Perfmatters plugin allows authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including critical files like wp-config.php. This can lead to a full site takeover.

Such unauthorized file deletion and potential site takeover could result in loss or alteration of sensitive data, disruption of service, and compromise of data integrity.

These impacts may affect compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, availability, and confidentiality, as well as proper access controls and incident response.

However, the provided information does not explicitly detail compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart