Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-4350. PoCs published by whyiamsobusy.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4350, an arbitrary file deletion vulnerability in the Perfmatters WordPress plugin. The exploit leverages unsanitized input in the 'delete' parameter to perform path traversal attacks, allowing deletion of critical files like wp-config.php.
Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
Exploits (1)
This repository contains a functional exploit for CVE-2026-4350, an arbitrary file deletion vulnerability in the Perfmatters WordPress plugin. The exploit leverages unsanitized input in the 'delete' parameter to perform path traversal attacks, allowing deletion of critical files like wp-config.php.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H