CVE-2026-4350
Published: 03 April 2026
Summary
CVE-2026-4350 is a high-severity Path Traversal (CWE-22) vulnerability in Perfmatters (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-4350 is a path traversal vulnerability in the Perfmatters plugin for WordPress, affecting all versions up to and including 2.5.9.1. The issue resides in the PMCS::action_handler() method, which processes the unsanitized $_GET['delete'] parameter without authorization checks or nonce verification. This allows the parameter value to be directly concatenated with the plugin's storage directory path and passed to PHP's unlink() function, enabling arbitrary file deletion (CWE-22). The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity. By crafting a GET request with a 'delete' parameter containing path traversal sequences like '../', they can target and delete any server-accessible file. A critical outcome is deletion of wp-config.php, which disrupts WordPress functionality and forces the site into the installation wizard, potentially allowing full site takeover if the attacker can subsequently reconfigure the site.
Mitigation details are available in advisories from Wordfence and the Perfmatters changelog. Security practitioners should update to a patched version of the plugin beyond 2.5.9.1 and review the referenced sources for specific remediation steps: https://perfmatters.io/docs/changelog/ and https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18609
Vulnerability details
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce…
more
verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in WordPress plugin enables exploitation of public-facing application (T1190) for arbitrary file deletion (T1107), disrupting site functionality.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of unsanitized inputs like the $_GET['delete'] parameter to directly prevent path traversal exploitation leading to arbitrary file deletion.
Mandates timely identification, reporting, and patching of flaws such as this path traversal vulnerability in the Perfmatters plugin up to version 2.5.9.1.
Enforces access control policies with authorization checks prior to processing delete actions, addressing the missing authorization and nonce verification in PMCS::action_handler().