CVE-2026-4351
Received Received - Intake
Path Traversal File Overwrite in Perfmatters WordPress Plugin

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4351
EUVD
EUVD-2026-21262
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perfmatters perfmatters to 2.5.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Perfmatters plugin for WordPress has a vulnerability that allows an attacker to overwrite arbitrary files on the server by exploiting a path traversal flaw.

This happens because the plugin's method handling bulk actions like 'activate' or 'deactivate' does not perform authorization checks or nonce verification.

Specifically, the plugin processes unsanitized input from the 'snippets' parameter, which is passed to functions that write files to the server, enabling an attacker with Subscriber-level access or higher to overwrite files with fixed PHP docblock content.

Impact Analysis

An attacker with at least Subscriber-level access can exploit this vulnerability to overwrite critical files on your server.

This can lead to denial of service by corrupting important files such as .htaccess or index.php, potentially disrupting your website's functionality.

Detection Guidance

Detection of this vulnerability involves checking for unauthorized file modifications or suspicious activity related to the Perfmatters plugin's bulk action handlers.

Since the vulnerability allows arbitrary file overwrite via path traversal through the `activate`/`deactivate` bulk actions, monitoring for unexpected changes to critical files such as `.htaccess` or `index.php` is important.

You can use commands to find recently modified files in your WordPress installation directory, for example:

  • find /path/to/wordpress -type f -mtime -7 -exec ls -l {} \;

Additionally, reviewing web server logs for unusual requests involving the Perfmatters plugin's bulk actions or suspicious GET parameters like `snippets[]` may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the Perfmatters plugin to a version later than 2.5.9 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the WordPress admin area to trusted users only, as the vulnerability requires at least Subscriber-level access.

Implement additional security measures such as disabling bulk actions in the plugin or applying web application firewall (WAF) rules to block suspicious requests targeting the `activate`/`deactivate` handlers with path traversal payloads.

Regularly monitor critical files for unauthorized changes and maintain backups to restore files if overwritten.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to overwrite arbitrary files on the server, potentially causing denial of service by corrupting critical files.

Such unauthorized file overwrites could lead to integrity and availability issues of the affected systems, which may impact compliance with standards like GDPR and HIPAA that require protection of data integrity and system availability.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart