Platform
wordpress
Component
perfmatters
Fixed in
2.5.10
CVE-2026-4350 describes an arbitrary file access vulnerability within the Perfmatters WordPress plugin. This flaw allows authenticated attackers to delete arbitrary files on the server, potentially leading to data loss or website compromise. The vulnerability affects Perfmatters versions 0 up to and including 2.5.9.1. Version 2.6.0 addresses this vulnerability.
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal. This vulnerability affects all versions up to and including 2.5.9.1. The issue lies within the PMCS::actionhandler() method, which processes the $GET['delete'] parameter without proper sanitization, authorization checks, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to unlink(). This allows authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, potentially compromising website integrity and enabling malicious code execution. The CVSS score for this vulnerability is 8.1, indicating a high-risk severity.
An authenticated attacker with Subscriber or higher privileges can exploit this vulnerability by sending a malicious HTTP request including a delete parameter with a relative or absolute file path pointing to a file they wish to delete. For example, a URL like https://example.com/wp-admin/admin-ajax.php?action=pmclearcache&delete=../../../../etc/passwd could delete the /etc/passwd file on the server (if permissions allow). The lack of validation in the PMCS::action_handler() function allows attackers to manipulate the file path and delete any file the WordPress process has access to.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the Perfmatters plugin to version 2.6.0 or later. This version includes the necessary fixes to validate and sanitize user input before using it in file manipulation operations. Additionally, it's recommended to review WordPress user permissions and restrict access to roles that don't require file deletion capabilities. Implementing a nonce validation system for sensitive actions can help prevent Cross-Site Request Forgery (CSRF) attacks that could exploit this vulnerability. Regular security audits of the website are a recommended practice to identify and remediate potential vulnerabilities.
Update to version 2.6.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A path traversal attack is a technique used by attackers to access files or directories outside the intended web directory, using sequences like '..' to navigate up the directory structure.
Updating the Perfmatters plugin to version 2.6.0 or later corrects the vulnerability and protects your website from potential attacks.
If you cannot update immediately, consider limiting WordPress user privileges and monitoring your website for suspicious activity.
Implement secure coding practices, including validating and sanitizing all user input, and use a nonce validation system for sensitive actions.
You can find more information about this vulnerability in the CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4350
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.