CVE-2026-4351

Name of the Vulnerable Software and Affected Versions Perfmatters plugin for WordPress versions up to and including 2.5.9

Description The Perfmatters plugin for WordPress is susceptible to arbitrary file overwrite through path traversal. This occurs because the PMCS::action handler() method processes activate/deactivate handlers without proper authorization or nonce verification. The $ GET['snippets'][] values are passed without sanitization to Snippet::activate()/Snippet::deactivate(), which then call Snippet::update() and file put contents() with a potentially traversed path. This allows authenticated attackers with Subscriber-level access or higher to overwrite arbitrary files on the server, potentially leading to denial of service by corrupting critical files like .htaccess or index.php.

Recommendations Update the Perfmatters plugin to a version later than 2.5.9.