Platform
wordpress
Component
perfmatters
Fixed in
2.5.10
2.6.0
CVE-2026-4351 describes a Path Traversal vulnerability discovered in the Perfmatters plugin for WordPress. This vulnerability allows authenticated attackers to overwrite arbitrary files on the server, potentially leading to complete system compromise. The issue affects versions up to 2.5.9, and a fix is available in version 2.6.0.
The vulnerability lies within the PMCS::actionhandler() method, which processes activate and deactivate bulk actions without proper authorization checks or nonce verification. Malicious actors, possessing Subscriber-level access or higher, can exploit this by manipulating the $GET['snippets'][] parameter. This parameter is then passed unsanitized to Snippet::activate()/Snippet::deactivate(), ultimately calling Snippet::update() and fileputcontents(). The lack of sanitization allows attackers to craft requests that include path traversal sequences, enabling them to overwrite critical system files or plugin configurations. Successful exploitation could lead to remote code execution, denial of service, or data breaches.
CVE-2026-4351 was publicly disclosed on 2026-04-10. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4351 is to immediately upgrade the Perfmatters plugin to version 2.6.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions for the WordPress uploads directory. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Regularly review plugin access permissions and ensure that only necessary roles have access to sensitive functions. After upgrading, verify the fix by attempting to access a file outside the intended directory via the vulnerable endpoint and confirming that access is denied.
Update to version 2.6.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4351 is a Path Traversal vulnerability affecting the Perfmatters WordPress plugin, allowing attackers to overwrite files. It impacts versions up to 2.5.9 and has a CVSS score of 8.1 (HIGH).
You are affected if you are using the Perfmatters plugin in WordPress versions 2.5.9 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Perfmatters plugin to version 2.6.0 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block suspicious requests.
Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly due to the vulnerability's severity.
Refer to the official Perfmatters plugin website and WordPress.org plugin repository for the latest security advisories and updates related to CVE-2026-4351.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.