{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/perfmatters/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","perfmatters","file-overwrite","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin for WordPress, in versions up to and including 2.5.9, is vulnerable to an arbitrary file overwrite vulnerability (CVE-2026-4351). This vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s processing of bulk \u003ccode\u003eactivate\u003c/code\u003e/\u003ccode\u003edeactivate\u003c/code\u003e actions without proper authorization checks or nonce verification. The unsanitized \u003ccode\u003e$_GET['snippets'][]\u003c/code\u003e values are then passed to \u003ccode\u003eSnippet::activate()\u003c/code\u003e/\u003ccode\u003eSnippet::deactivate()\u003c/code\u003e, which subsequently call \u003ccode\u003eSnippet::update()\u003c/code\u003e and \u003ccode\u003efile_put_contents()\u003c/code\u003e with a traversed path. An authenticated attacker with subscriber-level privileges can exploit this flaw to overwrite arbitrary files on the server with a fixed PHP docblock, leading to a potential denial-of-service condition by corrupting critical files such as \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e. This vulnerability allows low-privileged users to gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with subscriber-level access.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003epmcs_action\u003c/code\u003e parameter set to \u003ccode\u003ebulk_activate\u003c/code\u003e or \u003ccode\u003ebulk_deactivate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003esnippets[]\u003c/code\u003e parameter containing a path traversal payload, such as \u003ccode\u003e../../../.htaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e function processes the request without proper authorization or nonce validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSnippet::activate()\u003c/code\u003e or \u003ccode\u003eSnippet::deactivate()\u003c/code\u003e functions are called, leading to \u003ccode\u003eSnippet::update()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSnippet::update()\u003c/code\u003e then calls \u003ccode\u003efile_put_contents()\u003c/code\u003e with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the targeted file (e.g., \u003ccode\u003e.htaccess\u003c/code\u003e, \u003ccode\u003eindex.php\u003c/code\u003e) with a fixed PHP docblock, leading to a denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the WordPress server. Overwriting critical files like \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e can result in a denial-of-service condition, rendering the website unavailable. In some cases, this could be leveraged for further compromise by injecting malicious code into other PHP files or modifying server configurations. The vulnerability affects all installations using the Perfmatters plugin version 2.5.9 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4351.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Overwrite Attempt\u003c/code\u003e to monitor for exploitation attempts targeting this vulnerability via HTTP GET requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing \u003ccode\u003epmcs_action=bulk_activate\u003c/code\u003e or \u003ccode\u003epmcs_action=bulk_deactivate\u003c/code\u003e and path traversal sequences within the \u003ccode\u003esnippets[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to limit the impact of potential file overwrite vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T02:37:36Z","date_published":"2026-04-10T02:37:36Z","id":"/briefs/2026-04-perfmatters-overwrite/","summary":"The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.","title":"Perfmatters WordPress Plugin Arbitrary File Overwrite Vulnerability (CVE-2026-4351)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-overwrite/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4350"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4350","wordpress","perfmatters","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s failure to sanitize the \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter. This lack of validation allows for path traversal attacks using sequences like \u003ccode\u003e../\u003c/code\u003e, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, effectively disabling the website and potentially allowing a full site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.5.9.1) of the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the \u003ccode\u003edelete\u003c/code\u003e parameter with a path traversal payload. For example: \u003ccode\u003e?delete=../../../../wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method within the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method processes the unsanitized \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin concatenates the malicious path with the storage directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function executes, deleting the file specified by the attacker\u0026rsquo;s path traversal payload.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully deletes \u003ccode\u003ewp-config.php\u003c/code\u003e, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts based on \u003ccode\u003ecs-uri-query\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests to \u003ccode\u003ewp-admin/options.php\u003c/code\u003e to mitigate potential brute-force exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual patterns in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing \u003ccode\u003e../\u003c/code\u003e sequences, as these may indicate path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T08:16:17Z","date_published":"2026-04-03T08:16:17Z","id":"/briefs/2026-04-perfmatters-file-deletion/","summary":"The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.","title":"Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Perfmatters","version":"https://jsonfeed.org/version/1.1"}