{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4350", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T17:04:50.751Z", "datePublished": "2026-04-03T07:41:57.239Z", "dateUpdated": "2026-04-08T16:54:37.987Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:37.987Z"}, "affected": [{"vendor": "perfmatters", "product": "Perfmatters", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover."}], "title": "Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve"}, {"url": "https://perfmatters.io/docs/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-19T20:20:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-02T19:02:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:48:51.557866Z", "id": "CVE-2026-4350", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:48:57.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:48:51.557866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:48:54.258Z"}}], "cna": {"title": "Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "perfmatters", "product": "Perfmatters", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-19T20:20:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-02T19:02:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve"}, {"url": "https://perfmatters.io/docs/changelog/"}], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:37.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4350", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:37.987Z", "dateReserved": "2026-03-17T17:04:50.751Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-03T07:41:57.239Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover."}], "id": "CVE-2026-4350", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-03T08:16:17.547", "references": [{"source": "security@wordfence.com", "url": "https://perfmatters.io/docs/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.5.9.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Perfmatters", "source": "cna", "vendor": "perfmatters"}, "product": "perfmatters", "vendor": "perfmatters"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-03T10:50:26.938200+00:00", "value": {"mitigation_remediation": ["Upgrade the Perfmatters plugin to the latest available release after version 2.5.9.1 once it is released", "If an update is not yet available, disable or remove the plugin to eliminate the attack surface", "Restrict Subscriber access to only trusted users and consider elevating role responsibilities", "Monitor web server logs for unexpected delete requests and investigate promptly", "Verify WordPress file permissions to prevent unauthorized file deletions"], "summary": {"action": "Immediate patch", "impact": "Arbitrary file deletion that can lead to full WordPress site takeover"}, "threat_synthesis": {"affected_systems": "All releases of Perfmatters up to and including version 2.5.9.1 are affected. The vulnerability applies to users who have authenticated access with a Subscriber role or higher, which is a common role assignment for many website owners and editors.", "description_and_impact": "The Perfmatters plugin for WordPress contains a flaw in the \"delete\" action handler where the value of the $_GET['delete'] parameter is concatenated without sanitation or authorization checks and passed to PHP's unlink() function. If an authenticated user with Subscriber privileges or higher exploits this, they can supply path traversal sequences such as ../ to delete any file within the plugin's storage directory, including critical files like wp-config.php. Removing such a file triggers WordPress to launch its installation wizard, effectively handing full control of the site to the attacker.", "risk_and_exploitability": "The severity is rated CVSS 8.1, indicating a high risk. EPSS data is not available, and the issue is not listed in the Known Exploited Vulnerabilities catalog. Exploitation requires only a valid authenticated session; no additional privileges or prior setup are needed beyond standard subscriber access. The lack of input validation makes successful exploitation straightforward once credentials are present."}}}}, "created": "2026-04-03T21:14:44.529481+00:00", "updated": "2026-04-03T21:17:01.340346+00:00", "vendors": ["perfmatters", "perfmatters$PRODUCT$perfmatters", "wordpress", "wordpress$PRODUCT$wordpress"]}