Skip to main content

Perfmatters CVE-2026-13251

| EUVDEUVD-2026-41272 HIGH
Path Traversal (CWE-22)
2026-07-02 Wordfence GHSA-8456-6w7p-xg3h
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Unauthenticated remote file read (PR:N, C:H) but three simultaneous non-default configuration prerequisites justify AC:H; no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:15 vuln.today
CVE Published
Jul 02, 2026 - 09:32 cve.org
HIGH 7.5

DescriptionCVE.org

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.

AnalysisAI

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site with Local Google Fonts enabled
Delivery
Send request with traversal in 's' parameter
Exploit
Bypass fonts directory restriction
Execution
Read arbitrary server file
Impact
Exfiltrate wp-config.php secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires the plugin's Local Google Fonts feature to be explicitly enabled (it is disabled by default), WordPress pretty permalinks to be active, and the RSS feed links option to remain enabled in Perfmatters settings - all three must hold simultaneously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N, score 7.5) reflects unauthenticated network-based confidentiality loss, but the description materially qualifies AC:L: exploitation is gated on three simultaneous, largely non-default conditions (Local Google Fonts enabled - off by default, pretty permalinks active, and RSS feed links enabled). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker fingerprints a WordPress site running Perfmatters with Local Google Fonts enabled and pretty permalinks active, then sends a crafted unauthenticated HTTP request setting the 's' parameter to a traversal path like ../../../../wp-config.php. The server returns the file contents, exposing database credentials and secret keys. …
Remediation Upgrade Perfmatters to the first release after 2.6.4 that addresses this issue - the provided data does not name an exact fixed version, so confirm the patched build against the vendor changelog at https://perfmatters.io/docs/changelog/ before deploying (do not assume a version number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Perfmatters and verify plugin version and configuration status (specifically whether Local Google Fonts is enabled alongside pretty permalinks and RSS feed links). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy