{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-overwrite/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","perfmatters","file-overwrite","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin for WordPress, in versions up to and including 2.5.9, is vulnerable to an arbitrary file overwrite vulnerability (CVE-2026-4351). This vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s processing of bulk \u003ccode\u003eactivate\u003c/code\u003e/\u003ccode\u003edeactivate\u003c/code\u003e actions without proper authorization checks or nonce verification. The unsanitized \u003ccode\u003e$_GET['snippets'][]\u003c/code\u003e values are then passed to \u003ccode\u003eSnippet::activate()\u003c/code\u003e/\u003ccode\u003eSnippet::deactivate()\u003c/code\u003e, which subsequently call \u003ccode\u003eSnippet::update()\u003c/code\u003e and \u003ccode\u003efile_put_contents()\u003c/code\u003e with a traversed path. An authenticated attacker with subscriber-level privileges can exploit this flaw to overwrite arbitrary files on the server with a fixed PHP docblock, leading to a potential denial-of-service condition by corrupting critical files such as \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e. This vulnerability allows low-privileged users to gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with subscriber-level access.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003epmcs_action\u003c/code\u003e parameter set to \u003ccode\u003ebulk_activate\u003c/code\u003e or \u003ccode\u003ebulk_deactivate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003esnippets[]\u003c/code\u003e parameter containing a path traversal payload, such as \u003ccode\u003e../../../.htaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e function processes the request without proper authorization or nonce validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSnippet::activate()\u003c/code\u003e or \u003ccode\u003eSnippet::deactivate()\u003c/code\u003e functions are called, leading to \u003ccode\u003eSnippet::update()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSnippet::update()\u003c/code\u003e then calls \u003ccode\u003efile_put_contents()\u003c/code\u003e with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the targeted file (e.g., \u003ccode\u003e.htaccess\u003c/code\u003e, \u003ccode\u003eindex.php\u003c/code\u003e) with a fixed PHP docblock, leading to a denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the WordPress server. Overwriting critical files like \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e can result in a denial-of-service condition, rendering the website unavailable. In some cases, this could be leveraged for further compromise by injecting malicious code into other PHP files or modifying server configurations. The vulnerability affects all installations using the Perfmatters plugin version 2.5.9 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4351.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Overwrite Attempt\u003c/code\u003e to monitor for exploitation attempts targeting this vulnerability via HTTP GET requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing \u003ccode\u003epmcs_action=bulk_activate\u003c/code\u003e or \u003ccode\u003epmcs_action=bulk_deactivate\u003c/code\u003e and path traversal sequences within the \u003ccode\u003esnippets[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to limit the impact of potential file overwrite vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T02:37:36Z","date_published":"2026-04-10T02:37:36Z","id":"/briefs/2026-04-perfmatters-overwrite/","summary":"The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.","title":"Perfmatters WordPress Plugin Arbitrary File Overwrite Vulnerability (CVE-2026-4351)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-overwrite/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Overwrite","version":"https://jsonfeed.org/version/1.1"}