{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4350/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4350"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4350","wordpress","perfmatters","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s failure to sanitize the \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter. This lack of validation allows for path traversal attacks using sequences like \u003ccode\u003e../\u003c/code\u003e, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, effectively disabling the website and potentially allowing a full site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.5.9.1) of the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the \u003ccode\u003edelete\u003c/code\u003e parameter with a path traversal payload. For example: \u003ccode\u003e?delete=../../../../wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method within the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method processes the unsanitized \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin concatenates the malicious path with the storage directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function executes, deleting the file specified by the attacker\u0026rsquo;s path traversal payload.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully deletes \u003ccode\u003ewp-config.php\u003c/code\u003e, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts based on \u003ccode\u003ecs-uri-query\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests to \u003ccode\u003ewp-admin/options.php\u003c/code\u003e to mitigate potential brute-force exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual patterns in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing \u003ccode\u003e../\u003c/code\u003e sequences, as these may indicate path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T08:16:17Z","date_published":"2026-04-03T08:16:17Z","id":"/briefs/2026-04-perfmatters-file-deletion/","summary":"The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.","title":"Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4350","version":"https://jsonfeed.org/version/1.1"}