Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote file read (PR:N, C:H) but three simultaneous non-default configuration prerequisites justify AC:H; no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.
AnalysisAI
Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the plugin's Local Google Fonts feature to be explicitly enabled (it is disabled by default), WordPress pretty permalinks to be active, and the RSS feed links option to remain enabled in Perfmatters settings - all three must hold simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N, score 7.5) reflects unauthenticated network-based confidentiality loss, but the description materially qualifies AC:L: exploitation is gated on three simultaneous, largely non-default conditions (Local Google Fonts enabled - off by default, pretty permalinks active, and RSS feed links enabled). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker fingerprints a WordPress site running Perfmatters with Local Google Fonts enabled and pretty permalinks active, then sends a crafted unauthenticated HTTP request setting the 's' parameter to a traversal path like ../../../../wp-config.php. The server returns the file contents, exposing database credentials and secret keys. … |
| Remediation | Upgrade Perfmatters to the first release after 2.6.4 that addresses this issue - the provided data does not name an exact fixed version, so confirm the patched build against the vendor changelog at https://perfmatters.io/docs/changelog/ before deploying (do not assume a version number). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Perfmatters and verify plugin version and configuration status (specifically whether Local Google Fonts is enabled alongside pretty permalinks and RSS feed links). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Perfmatters
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows
Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows
Cross-Site Request Forgery (CSRF) vulnerability in Perfmatters allows Cross Site Request Forgery.1.6. Rated medium sever
Missing Authorization vulnerability in Perfmatters.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41272
GHSA-8456-6w7p-xg3h