Cyber Resilience

CVE-2026-4351

High

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0041 32.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4351 is a high-severity Path Traversal (CWE-22) vulnerability in Perfmatters (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-4351 is a path traversal vulnerability (CWE-22) in the Perfmatters plugin for WordPress, affecting all versions up to and including 2.5.9. The flaw occurs in the PMCS::action_handler() method, which processes bulk "activate" and "deactivate" actions without any authorization checks or nonce verification. Unsanitized values from the $_GET['snippets'][] parameter are passed directly to Snippet::activate() or Snippet::deactivate(), which in turn invoke Snippet::update() and file_put_contents() using the attacker-controlled path, enabling arbitrary file overwrites with fixed PHP docblock content.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and low privileges (PR:L). Successful exploitation allows overwriting arbitrary files on the server, potentially leading to denial of service by corrupting critical files such as .htaccess or index.php. The CVSS v3.1 base score is 8.1 (C:N/I:H/A:H/S:U), highlighting high impacts on integrity and availability.

The Perfmatters changelog at https://perfmatters.io/docs/changelog/ and Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve provide details on patches and mitigation steps for this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or…

more

nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Vulnerability in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) via path traversal and missing auth checks; facilitates T1485 (Data Destruction) through arbitrary file overwrites corrupting critical files like .htaccess or index.php for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24970Shared CWE-22
CVE-2026-45230Shared CWE-22
CVE-2025-68901Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2025-26540Shared CWE-22
CVE-2025-7359Shared CWE-22
CVE-2026-22448Shared CWE-22
CVE-2025-21622Shared CWE-22
CVE-2025-14868Shared CWE-22
CVE-2026-32522Shared CWE-22

Affected Assets

Perfmatters
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal (CWE-22) by requiring validation and sanitization of unsanitized $_GET['snippets'][] inputs before passing to Snippet::update() and file_put_contents().

prevent

Enforces missing authorization checks in PMCS::action_handler() to prevent Subscriber-level users from executing bulk activate/deactivate actions leading to arbitrary file overwrites.

prevent

Requires nonce verification absent in the action handlers to protect against unauthorized or spoofed requests that exploit the vulnerable bulk action processing.

References