CVE-2026-4350

CVE-2026-4350 is a path traversal vulnerability in the Perfmatters plugin for WordPress, affecting all versions up to and including 2.5.9.1. The issue resides in the PMCS::action_handler() method, which processes the unsanitized $_GET['delete'] parameter without authorization checks or nonce verification. This allows the parameter value to be directly concatenated with the plugin's storage directory path and passed to PHP's unlink() function, enabling arbitrary file deletion (CWE-22). The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity. By crafting a GET request with a 'delete' parameter containing path traversal sequences like '../', they can target and delete any server-accessible file. A critical outcome is deletion of wp-config.php, which disrupts WordPress functionality and forces the site into the installation wizard, potentially allowing full site takeover if the attacker can subsequently reconfigure the site.

Mitigation details are available in advisories from Wordfence and the Perfmatters changelog. Security practitioners should update to a patched version of the plugin beyond 2.5.9.1 and review the referenced sources for specific remediation steps: https://perfmatters.io/docs/changelog/ and https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve.