CVE-2026-4350

Name of the Vulnerable Software and Affected Versions Perfmatters plugin for WordPress versions through 2.5.9.1

Description The Perfmatters plugin for WordPress contains a flaw that allows for arbitrary file deletion through path traversal. The PMCS::action handler() method processes the $ GET['delete'] parameter without proper sanitization, authorization checks, or nonce verification. This allows attackers to use ../ sequences to delete arbitrary files on the server, including wp-config.php. Deleting wp-config.php can lead to full site takeover. More than 200,000 WordPress sites were potentially affected.

Recommendations Update to version 2.6.0 or later.