CVE-2026-4350 — The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion…
Image via perfmatters.io
🚨 CVE-2026-4350 The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::actionhandler() method processing the $GET['delete'] parameter without any sanitization, authorization check, or nonce verification.
What This Means For You
- New vulnerability disclosed — verify if your stack is exposed.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4350 | Path Traversal | Perfmatters plugin for WordPress versions up to and including 2.5.9.1. Vulnerable component: PMCS::actionhandler() method. Vulnerability occurs when processing the $GET['delete'] parameter without sanitization, authorization check, or nonce verification. |
| CVE-2026-4350 | Arbitrary File Deletion | Perfmatters plugin for WordPress versions up to and including 2.5.9.1. Vulnerable component: PMCS::actionhandler() method. Vulnerability occurs when processing the $GET['delete'] parameter without sanitization, authorization check, or nonce verification. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 157841 |
| Published | April 03, 2026 at 11:26 UTC |
| Original Link | https://perfmatters.io/docs/changelog/ |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us on LinkedIn to stay ahead.
Share