CVE-2026-4350 Overview
CVE-2026-4350 is a path traversal vulnerability in the Perfmatters plugin for WordPress affecting all versions up to and including 2.5.9.1. The flaw resides in the PMCS::action_handler() method, which processes the $_GET['delete'] parameter without sanitization, authorization checks, or nonce verification. Authenticated attackers with Subscriber-level access or higher can delete arbitrary files on the server using ../ path traversal sequences. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Deleting wp-config.php forces WordPress into the installation wizard, enabling full site takeover by attackers who reconnect the site to an attacker-controlled database.
Affected Products
- Perfmatters plugin for WordPress, all versions up to and including 2.5.9.1
- WordPress sites where the plugin is installed and active
- Any WordPress installation allowing Subscriber-level registration with Perfmatters enabled
Discovery Timeline
- 2026-04-03 - CVE-2026-4350 published to the National Vulnerability Database
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-4350
Vulnerability Analysis
The vulnerability exists in the PMCS::action_handler() method of the Perfmatters plugin. The handler reads the delete parameter directly from the HTTP request via $_GET['delete'] and concatenates it with the plugin's storage directory path. The resulting path is then passed to PHP's unlink() function without filtering, escaping, or validating the input.
Three distinct security controls are missing from this code path. There is no input sanitization to strip directory traversal sequences. There is no capability or role check to restrict access to privileged users. There is no nonce verification to prevent forged or replayed requests.
An authenticated attacker holding a Subscriber account can submit a request containing ../ segments in the delete parameter. The traversal sequences allow the file pointer to escape the intended storage directory and reach any file the web server process can read. Deleting wp-config.php triggers the WordPress installation wizard on the next page load, allowing the attacker to point the site at a database under their control.
Root Cause
The root cause is improper neutralization of path traversal sequences combined with missing authorization. The action_handler() method trusts the delete parameter as a safe relative filename. PHP's unlink() function follows the resolved path without restriction, allowing deletion of any file writable by the web server user.
Attack Vector
Exploitation requires network access and a valid authenticated session at Subscriber level or higher. The attacker sends a crafted GET request to the vulnerable endpoint with a path traversal payload in the delete parameter. No user interaction beyond the attacker's own authenticated request is required. See the Wordfence Vulnerability Report for technical analysis.
Detection Methods for CVE-2026-4350
Indicators of Compromise
- HTTP GET requests containing delete= parameters with ../ or URL-encoded %2e%2e%2f sequences targeting Perfmatters endpoints
- Unexpected absence of wp-config.php, .htaccess, or core WordPress files on the filesystem
- WordPress installation wizard appearing unexpectedly on a previously configured site
- Web server access logs showing authenticated Subscriber requests interacting with Perfmatters administrative actions
Detection Strategies
- Inspect web server logs for requests to Perfmatters action handlers containing traversal sequences in query strings
- Monitor filesystem integrity for unauthorized deletion of WordPress core files, configuration files, and plugin assets
- Alert on WordPress installer page responses returned by sites that should already be configured
- Correlate Subscriber account activity with file deletion events on the underlying host
Monitoring Recommendations
- Enable WordPress audit logging to track plugin-initiated file operations and parameter values
- Forward web server access logs and filesystem events to a central SIEM for pattern matching on traversal payloads
- Review newly registered Subscriber accounts on sites that allow open registration
How to Mitigate CVE-2026-4350
Immediate Actions Required
- Update the Perfmatters plugin to a version released after 2.5.9.1 that addresses the path traversal flaw
- Disable the Perfmatters plugin on any site that cannot be updated immediately
- Audit Subscriber and higher-privilege accounts and remove any that are unrecognized
- Verify the integrity of wp-config.php and other critical WordPress files
Patch Information
Review the Performance Matters Changelog for the fixed release version and apply the update through the WordPress plugin dashboard. The Wordfence Vulnerability Report provides additional remediation guidance and the patched version number.
Workarounds
- Restrict new user registration to trusted email domains or disable open registration entirely
- Apply web application firewall rules that block ../ and encoded traversal sequences in plugin query parameters
- Set restrictive filesystem permissions so the web server user cannot delete wp-config.php or files outside the plugin's intended storage directory
- Place wp-config.php one directory above the WordPress root where supported by the hosting environment
# Example ModSecurity rule to block path traversal in the delete parameter
SecRule ARGS:delete "@rx (\.\./|%2e%2e%2f|%2e%2e/)" \
"id:1004350,phase:2,deny,status:403,log,\
msg:'CVE-2026-4350 Perfmatters path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
