CVE-2026-4350 — The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion…

April 03, 2026 11:26 /HIGH

CVE Notify vulnerabilitycve

🚨 CVE-2026-4350 The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::actionhandler() method processing the $GET['delete'] parameter without any sanitization, authorization check, or nonce verification.

What This Means For You

New vulnerability disclosed — verify if your stack is exposed.

Indicators of Compromise

ID	Type	Indicator
CVE-2026-4350	Path Traversal	Perfmatters plugin for WordPress versions up to and including 2.5.9.1. Vulnerable component: PMCS::actionhandler() method. Vulnerability occurs when processing the $GET['delete'] parameter without sanitization, authorization check, or nonce verification.
CVE-2026-4350	Arbitrary File Deletion	Perfmatters plugin for WordPress versions up to and including 2.5.9.1. Vulnerable component: PMCS::actionhandler() method. Vulnerability occurs when processing the $GET['delete'] parameter without sanitization, authorization check, or nonce verification.

🔎

Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic — straight from this vulnerability. Use /detect in the Intel Bot.

Open Intel Bot →

Source & Attribution

Source Platform	Telegram
Channel	CVE Notify
Published	April 03, 2026 at 11:26 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

What This Means For You

Indicators of Compromise

Related coverage

CVE-2026-20240 — Denial of Service

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged