Plattform
wordpress
Komponente
perfmatters
Behoben in
2.5.10
2.6.0
CVE-2026-4351 describes a Path Traversal vulnerability discovered in the Perfmatters plugin for WordPress. This vulnerability allows authenticated attackers to overwrite arbitrary files on the server, potentially leading to complete system compromise. The issue affects versions up to 2.5.9, and a fix is available in version 2.6.0.
The impact of this vulnerability is significant. An attacker with Subscriber-level access or higher can leverage the activate/deactivate bulk actions to overwrite critical configuration files, core WordPress files, or even system files. This could lead to remote code execution, denial of service, or the theft of sensitive data. Successful exploitation could grant an attacker complete control over the affected WordPress instance. The lack of proper input sanitization in the PMCS::action_handler() method directly contributes to this risk, allowing attackers to manipulate file paths.
CVE-2026-4351 was publicly disclosed on 2026-04-10. While no public exploits are currently known, the ease of exploitation and the potential impact make this a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on authenticated access means attackers would need to compromise a user account with Subscriber privileges or higher.
WordPress websites utilizing the Perfmatters plugin, particularly those with Subscriber-level users or higher, are at risk. Shared hosting environments where users have limited control over file permissions are especially vulnerable. Sites with outdated plugin versions or those lacking robust security practices are also at increased risk.
• wordpress / composer / npm:
grep -r "Snippet::update\(" /var/www/html/wp-content/plugins/perfmatters/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=pmcs_action_handler&snippets%5B%5D=../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=all | grep perfmattersdisclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Perfmatters plugin to version 2.6.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of path traversal, restricting access to the wp-admin/admin-ajax.php endpoint and carefully reviewing user roles and permissions can reduce the attack surface. Regularly audit plugin code for similar vulnerabilities and enforce strict input validation practices. After upgrading, confirm the fix by attempting to trigger the vulnerable action with a manipulated snippets parameter; the action should fail with an appropriate error message.
Aktualisieren Sie auf Version 2.6.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4351 is a Path Traversal vulnerability affecting the Perfmatters WordPress plugin, allowing attackers to overwrite files. It impacts versions up to 2.5.9 and has a CVSS score of 8.1 (HIGH).
You are affected if you are using the Perfmatters plugin in WordPress versions 2.5.9 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Perfmatters plugin to version 2.6.0 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block suspicious requests.
Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly due to the vulnerability's severity.
Refer to the official Perfmatters plugin website and WordPress.org plugin repository for the latest security advisories and updates related to CVE-2026-4351.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.