Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.
Published: 2026-04-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Apply Patch
AI Analysis

Impact

The flaw in the Perfmatters WordPress plugin allows an authenticated user with Subscriber level or higher to supply arbitrary paths through the 'snippets' parameter. Because the action handler processes these paths without sanitization or authorization checks, the plugin writes directly to the specified location using file_put_contents. This path traversal leads to overwriting of critical files such as .htaccess or index.php, potentially causing denial of service or enabling remote code execution if the attacker writes malicious content.

Affected Systems

WordPress installations using the Perfmatters plugin, versions 2.5.9 and earlier, are affected. Any site running one of those releases without an updated version is vulnerable.

Risk and Exploitability

The vulnerability scores a 8.1 on the CVSS scale, indicating high severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog. Likely exploitation requires a user authenticated as Subscriber or higher, and the attacker can trigger the overwrite by directing the plugin to process a crafted 'snippets' request. Because the plugin lacks any nonce verification, the attack can be performed remotely if the site allows authenticated actions via the baseline login mechanism.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Perfmatters plugin to the latest version (2.6.0 or later).
  • Verify that all sites are running the patched plugin and no older versions remain.
  • If an immediate update is impossible, disable the plugin or remove the 'snippets' functionality to block the vulnerable endpoint.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress
Vendors & Products Perfmatters
Perfmatters perfmatters
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.
Title Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Perfmatters Perfmatters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T15:54:52.222Z

Reserved: 2026-03-17T17:19:49.858Z

Link: CVE-2026-4351

cve-icon Vulnrichment

Updated: 2026-04-10T15:51:34.994Z

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:03.553

Modified: 2026-04-10T02:16:03.553

Link: CVE-2026-4351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:09Z

Weaknesses