EUVD-2026-18609
GHSA-7hmf-75fm-xr24
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
Analysis
Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations using Perfmatters plugin and document installed versions via wp-admin or file inspection. Within 7 days: Disable or immediately remove Perfmatters plugin versions ≤2.5.9.1; if functionality is required, evaluate alternative plugins and restrict subscriber role assignments to trusted users only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today