CVE-2026-4350
Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' ParameterThe Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.
We have discovered 17,092 live websites that are affected by CVE-2026-4350.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 17,092 live websites (100% of Perfmatters install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 153 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Details
- Published - Apr 3, 2026
- Updated - Apr 8, 2026
Credits
- Phú (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-4350 United States | 8,901 websites |
 Germany | 1,049 websites |
 GB | 872 websites |
 France | 497 websites |
 Netherlands | 454 websites |
 Spain | 451 websites |
 Canada | 428 websites |
 Australia | 427 websites |
 Iran | 366 websites |
 Brazil | 315 websites |
Website Distribution by TLD
Number of websites using CVE-2026-4350| .com | 9,518 websites |
| .org | 722 websites |
| .de | 629 websites |
| .co.uk | 621 websites |
| .com.au | 444 websites |
| .nl | 422 websites |
| .net | 359 websites |
| .com.br | 295 websites |
| .fr | 266 websites |
| .pl | 237 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-4350
Top websites that are affected by CVE-2026-4350. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| ***********.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| ***************.net | United States | *,*** | |
| *******.com | United States | *,*** | |
| ************.org | France | *,*** | |
| *******.com | Canada | *,*** |
FAQ
CVE-2026-4350 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Perfmatters
A total of 17,092 websites have been identified as vulnerable to CVE-2026-4350, based on global website indexing conducted by WebTechSurvey.
The Perfmatters is affected by the CVE-2026-4350 vulnerability.
Perfmatters versions up to and including 2.5.9.1 are vulnerable to CVE-2026-4350.