CVE-2026-4351
Path Traversal File Overwrite in Perfmatters WordPress Plugin
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perfmatters | perfmatters | to 2.5.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Perfmatters plugin for WordPress has a vulnerability that allows an attacker to overwrite arbitrary files on the server by exploiting a path traversal flaw.
This happens because the plugin's method handling bulk actions like 'activate' or 'deactivate' does not perform authorization checks or nonce verification.
Specifically, the plugin processes unsanitized input from the 'snippets' parameter, which is passed to functions that write files to the server, enabling an attacker with Subscriber-level access or higher to overwrite files with fixed PHP docblock content.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to overwrite critical files on your server.
This can lead to denial of service by corrupting important files such as .htaccess or index.php, potentially disrupting your website's functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized file modifications or suspicious activity related to the Perfmatters plugin's bulk action handlers.
Since the vulnerability allows arbitrary file overwrite via path traversal through the `activate`/`deactivate` bulk actions, monitoring for unexpected changes to critical files such as `.htaccess` or `index.php` is important.
You can use commands to find recently modified files in your WordPress installation directory, for example:
- find /path/to/wordpress -type f -mtime -7 -exec ls -l {} \;
Additionally, reviewing web server logs for unusual requests involving the Perfmatters plugin's bulk actions or suspicious GET parameters like `snippets[]` may help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to overwrite arbitrary files on the server, potentially causing denial of service by corrupting critical files.
Such unauthorized file overwrites could lead to integrity and availability issues of the affected systems, which may impact compliance with standards like GDPR and HIPAA that require protection of data integrity and system availability.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Perfmatters plugin to a version later than 2.5.9 where this vulnerability is fixed.
If an update is not immediately possible, restrict access to the WordPress admin area to trusted users only, as the vulnerability requires at least Subscriber-level access.
Implement additional security measures such as disabling bulk actions in the plugin or applying web application firewall (WAF) rules to block suspicious requests targeting the `activate`/`deactivate` handlers with path traversal payloads.
Regularly monitor critical files for unauthorized changes and maintain backups to restore files if overwritten.