CVE-2026-4350 Overview
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This vulnerability exists due to the PMCS::action_handler() method processing the $_GET['delete'] parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to unlink(), enabling authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server by using ../ path traversal sequences.
Critical Impact
Attackers can delete critical files including wp-config.php, which would force WordPress into the installation wizard and allow complete site takeover.
Affected Products
- Perfmatters WordPress Plugin versions up to and including 2.5.9.1
Discovery Timeline
- 2026-04-03 - CVE-2026-4350 published to NVD
- 2026-04-03 - Last updated in NVD database
Technical Details for CVE-2026-4350
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue lies in the PMCS::action_handler() method which accepts user-controlled input through the $_GET['delete'] parameter without implementing proper security controls.
The vulnerability chain involves three critical security failures: missing input sanitization allows path traversal sequences (../) to escape the intended directory, absent authorization checks permit any authenticated user (including low-privileged Subscribers) to trigger the deletion functionality, and the lack of nonce verification enables potential CSRF attacks.
When exploited, an attacker can traverse the filesystem and delete any file accessible to the web server process. The most devastating attack scenario involves deleting wp-config.php, WordPress's main configuration file containing database credentials and security keys. Removing this file forces WordPress into its installation wizard state, allowing the attacker to reconfigure the site with their own credentials and achieve complete site takeover.
Root Cause
The root cause is the direct use of unsanitized user input in a file system operation. The $_GET['delete'] parameter value is concatenated with a storage directory path and passed directly to PHP's unlink() function without validating that the resulting path stays within the intended directory bounds. The code lacks basename extraction, canonical path resolution, or any form of path containment checks.
Attack Vector
The attack is network-based and requires only Subscriber-level authentication to the WordPress site. An attacker sends a crafted HTTP GET request containing path traversal sequences in the delete parameter. Since no nonce verification exists, this request can be executed directly by an authenticated user or potentially through a CSRF attack against an authenticated administrator.
The exploitation path involves constructing a URL that includes directory traversal sequences (such as ../../../wp-config.php) in the delete parameter, causing the plugin to delete files outside its intended storage directory. The attack requires no user interaction beyond accessing the malicious URL while authenticated.
Detection Methods for CVE-2026-4350
Indicators of Compromise
- Web server access logs showing GET requests to Perfmatters plugin endpoints containing ../ sequences in the delete parameter
- Missing critical WordPress files such as wp-config.php or other core files
- WordPress site suddenly displaying the installation wizard without administrative action
- File system audit logs showing unexpected file deletions by the web server process
Detection Strategies
- Monitor HTTP request logs for path traversal patterns (../, ..%2f, %2e%2e/) in query parameters targeting WordPress plugin directories
- Implement file integrity monitoring for critical WordPress files including wp-config.php, .htaccess, and core WordPress files
- Configure Web Application Firewall (WAF) rules to block requests containing path traversal sequences
- Set up alerts for authentication events followed by suspicious file operations
Monitoring Recommendations
- Enable WordPress security plugin logging to capture plugin-related activity and file modifications
- Configure real-time file integrity monitoring with SentinelOne to detect unauthorized file deletions
- Monitor for WordPress entering installation mode as an indicator of wp-config.php deletion
- Review user role assignments to identify potentially compromised Subscriber accounts
How to Mitigate CVE-2026-4350
Immediate Actions Required
- Update the Perfmatters plugin to a patched version immediately by checking the Perfmatters Changelog
- If immediate patching is not possible, temporarily deactivate the Perfmatters plugin until the update can be applied
- Audit WordPress user accounts and remove any unnecessary Subscriber-level accounts
- Review file system backups to ensure wp-config.php and critical files can be restored if compromised
Patch Information
Review the Perfmatters Changelog for the latest security patches addressing this vulnerability. Additional technical details are available in the Wordfence Vulnerability Report. Update to a version newer than 2.5.9.1 that addresses this path traversal vulnerability.
Workarounds
- Deactivate the Perfmatters plugin until a patched version is available
- Implement Web Application Firewall rules to block requests containing path traversal sequences targeting the plugin
- Restrict Subscriber registration if not required for business operations
- Set immutable flags on critical files like wp-config.php at the operating system level where supported
- Deploy file integrity monitoring to detect and alert on unauthorized file deletions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
