CVE-2026-13251
Received Received - Intake

Directory Traversal in Perfmatters WordPress Plugin

Vulnerability report for CVE-2026-13251, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
perfmatters perfmatters to 2.6.4 (inc)
perfmatters perfmatters From 2.4.4 (inc) to 2.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Perfmatters plugin for WordPress has a Directory Traversal vulnerability in all versions up to and including 2.6.4. This vulnerability exists via the 's' parameter, allowing unauthenticated attackers to read arbitrary files on the server.

Exploitation requires the Local Google Fonts feature to be enabled (which is disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.

Impact Analysis

This vulnerability can allow attackers to read sensitive files on the server without authentication. Such files may contain confidential information, which could lead to data leakage or further attacks.

Because the vulnerability allows reading arbitrary files, it can expose sensitive configuration files, credentials, or other private data stored on the server.

Mitigation Strategies

To mitigate the directory traversal vulnerability in the Perfmatters WordPress plugin (CVE-2026-13251), you should immediately disable the Local Google Fonts feature if it is enabled, as exploitation requires this feature to be active.

Additionally, ensure that pretty permalinks and RSS feed links are disabled or properly configured in the plugin settings to reduce the attack surface.

Most importantly, update the Perfmatters plugin to a version later than 2.6.4 where this vulnerability is fixed.

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files on the server, which can include sensitive information.

Exposure of sensitive information through this directory traversal could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require protection of personal and sensitive data.

However, the provided context does not explicitly mention the impact on compliance with these standards.

Detection Guidance

The vulnerability in the Perfmatters WordPress plugin involves a Directory Traversal via the 's' parameter when certain plugin features are enabled. Detection would involve checking for suspicious HTTP requests targeting the 's' parameter that attempt to access arbitrary files on the server.

Since exploitation requires the Local Google Fonts feature to be enabled, pretty permalinks active, and RSS feed links enabled in the plugin settings, verifying these configurations can help identify if the system is vulnerable.

To detect potential exploitation attempts on your network, you can monitor web server logs for requests containing directory traversal patterns in the 's' parameter, such as '../' sequences.

  • Use grep or similar tools to search web server access logs for suspicious 's' parameter usage, e.g.:
  • grep -i 's=\.\./' /var/log/apache2/access.log
  • grep -i 's=\.\./' /var/log/nginx/access.log

Additionally, you can use curl or wget to test if the vulnerability is present by sending crafted requests to the plugin endpoint with directory traversal payloads in the 's' parameter and observing the response for file contents.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart