Cyber Resilience

CVE-2026-4350

High

Published: 03 April 2026

Published
03 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0066 46.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4350 is a high-severity Path Traversal (CWE-22) vulnerability in Perfmatters (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4350 is a path traversal vulnerability in the Perfmatters plugin for WordPress, affecting all versions up to and including 2.5.9.1. The issue resides in the PMCS::action_handler() method, which processes the unsanitized $_GET['delete'] parameter without authorization checks or nonce verification. This allows the parameter value to be directly concatenated with the plugin's storage directory path and passed to PHP's unlink() function, enabling arbitrary file deletion (CWE-22). The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity. By crafting a GET request with a 'delete' parameter containing path traversal sequences like '../', they can target and delete any server-accessible file. A critical outcome is deletion of wp-config.php, which disrupts WordPress functionality and forces the site into the installation wizard, potentially allowing full site takeover if the attacker can subsequently reconfigure the site.

Mitigation details are available in advisories from Wordfence and the Perfmatters changelog. Security practitioners should update to a patched version of the plugin beyond 2.5.9.1 and review the referenced sources for specific remediation steps: https://perfmatters.io/docs/changelog/ and https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce…

more

verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in WordPress plugin enables exploitation of public-facing application (T1190) for arbitrary file deletion (T1107), disrupting site functionality.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7643Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-8141Shared CWE-22
CVE-2025-2328Shared CWE-22
CVE-2025-7645Shared CWE-22
CVE-2026-41058Shared CWE-22
CVE-2026-0704Shared CWE-22
CVE-2025-11631Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2025-14675Shared CWE-22

Affected Assets

Perfmatters
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of unsanitized inputs like the $_GET['delete'] parameter to directly prevent path traversal exploitation leading to arbitrary file deletion.

prevent

Mandates timely identification, reporting, and patching of flaws such as this path traversal vulnerability in the Perfmatters plugin up to version 2.5.9.1.

prevent

Enforces access control policies with authorization checks prior to processing delete actions, addressing the missing authorization and nonce verification in PMCS::action_handler().

References