Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
Published: 2026-04-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion that can lead to full WordPress site takeover
Action: Immediate patch
AI Analysis

Impact

The Perfmatters plugin for WordPress contains a flaw in the "delete" action handler where the value of the $_GET['delete'] parameter is concatenated without sanitation or authorization checks and passed to PHP's unlink() function. If an authenticated user with Subscriber privileges or higher exploits this, they can supply path traversal sequences such as ../ to delete any file within the plugin's storage directory, including critical files like wp-config.php. Removing such a file triggers WordPress to launch its installation wizard, effectively handing full control of the site to the attacker.

Affected Systems

All releases of Perfmatters up to and including version 2.5.9.1 are affected. The vulnerability applies to users who have authenticated access with a Subscriber role or higher, which is a common role assignment for many website owners and editors.

Risk and Exploitability

The severity is rated CVSS 8.1, indicating a high risk. EPSS data is not available, and the issue is not listed in the Known Exploited Vulnerabilities catalog. Exploitation requires only a valid authenticated session; no additional privileges or prior setup are needed beyond standard subscriber access. The lack of input validation makes successful exploitation straightforward once credentials are present.

Generated by OpenCVE AI on April 3, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Perfmatters plugin to the latest available release after version 2.5.9.1 once it is released
  • If an update is not yet available, disable or remove the plugin to eliminate the attack surface
  • Restrict Subscriber access to only trusted users and consider elevating role responsibilities
  • Monitor web server logs for unexpected delete requests and investigate promptly
  • Verify WordPress file permissions to prevent unauthorized file deletions

Generated by OpenCVE AI on April 3, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress
Vendors & Products Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
Title Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Perfmatters Perfmatters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-03T12:48:57.412Z

Reserved: 2026-03-17T17:04:50.751Z

Link: CVE-2026-4350

cve-icon Vulnrichment

Updated: 2026-04-03T12:48:54.258Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T08:16:17.547

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-4350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:01Z

Weaknesses