Skip to main content

Perfmatters

6 CVEs product

Monthly

CVE-2026-57671 HIGH This Week

Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

XSS Perfmatters
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-13251 HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google Perfmatters
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-47874 MEDIUM This Month

Missing Authorization vulnerability in Perfmatters.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Perfmatters
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-47877 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Stored XSS.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Perfmatters
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-47876 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Reflected XSS.1.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfmatters
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-47875 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Perfmatters allows Cross Site Request Forgery.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Perfmatters
NVD
CVSS 3.1
5.4
EPSS
0.1%
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

XSS Perfmatters
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization vulnerability in Perfmatters.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Perfmatters
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Stored XSS.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Perfmatters
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Reflected XSS.1.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfmatters
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Perfmatters allows Cross Site Request Forgery.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Perfmatters
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy