CVE-2026-4350: Path Traversal in The Perfmatters plugin
// Executive Summary
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::action_handler() method processing the $_GET['delete'] parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to unlink().
The CVE-2026-4350 vulnerability affects The Perfmatters plugin and represents a high-severity Path Traversal flaw with real-world consequences for organizations running affected versions.
Arbitrary File Access
Attackers can read sensitive files outside the intended directory, including configuration files with credentials.
File Write / Overwrite
Depending on permissions, attackers may overwrite critical system files or deploy malicious content.
Credential Theft
Config files containing database credentials, API keys, or passwords can be read by unauthenticated attackers.
Follow these steps to determine whether your systems are exposed to CVE-2026-4350:
Detection Checklist
- Identify all instances of The Perfmatters plugin deployed in your environment (on-premises, cloud, and containerized deployments).
- Check the version of your The Perfmatters plugin installation — vulnerable versions are indicated in the CVE advisory.
- Review access logs for anomalous request patterns consistent with Path Traversal exploitation attempts.
- Search for indicators of compromise (IOCs) including unexpected process spawns, unusual network connections, or modified configuration files.
- Run KENSAI's automated vulnerability scanner against your The Perfmatters plugin deployment to confirm exposure in minutes.
- Check your SIEM/IDS for alerts referencing this CVE or related attack signatures published by threat intelligence vendors.
Immediate Actions Required
- Apply the vendor patch immediately — update The Perfmatters plugin to the latest patched version as specified in the CVE advisory.
- If an immediate patch is not possible, implement temporary mitigations such as WAF rules to block exploit attempts.
- Isolate the affected system from the internal network until patched to prevent lateral movement by attackers.
- Restrict network access to the vulnerable component using firewall rules, limiting exposure to trusted IP ranges only.
- Audit and rotate all credentials (passwords, API keys, tokens) that may have been accessible to an attacker if exploitation occurred.
- Enable comprehensive logging and alerting for the affected component to detect any ongoing exploitation attempts.
- Conduct a post-patch verification scan to confirm the vulnerability has been remediated before returning the system to production.
- Review related systems and dependencies that may be affected by the same vulnerability class.
What is CVE-2026-4350?
CVE-2026-4350 is a high-severity Path Traversal vulnerability affecting The Perfmatters plugin. It has a CVSS score of 8.1 and requires immediate attention from security teams.
How serious is CVE-2026-4350?
With a HIGH severity rating and CVSS score of 8.1, CVE-2026-4350 represents a significant security risk. Organizations using The Perfmatters plugin should treat remediation as a high priority.
Is CVE-2026-4350 actively exploited?
Security researchers have published details about this vulnerability. Monitor CISA's KEV catalog and your threat intelligence feeds for exploitation status updates. Apply the patch regardless of current exploitation status.
How do I fix CVE-2026-4350?
The primary remediation is to apply the vendor-supplied patch for The Perfmatters plugin. If patching is not immediately possible, implement temporary compensating controls such as WAF rules or network access restrictions while the patch is scheduled.
Does CVE-2026-4350 affect my organization?
If your organization uses The Perfmatters plugin, you should assess your exposure immediately. Check the specific affected versions in the CVE advisory and run an automated vulnerability scan to confirm your exposure status.