Perfmatters path traversal enables arbitrary file deletion

2 min readPublished 02 Apr 2026Updated 03 Apr 2026Source: Wordfence Intelligence

CVE-2026-4350 News WordPress Web Security

TL;DR — A path traversal arbitrary-file-delete bug in the WordPress Perfmatters plugin can be abused by low-privileged users to delete sensitive files and potentially take over the site.

What happened

Perfmatters is a WordPress performance optimization plugin that helps reduce page load time by disabling/deferring features and managing front-end assets.

Wordfence disclosed CVE-2026-4350: a path traversal leading to arbitrary file deletion in PMCS::action_handler(), where the plugin processes the $_GET['delete'] parameter without sanitization, authorization checks, or nonce verification. The resulting attacker-controlled path is concatenated with the plugin’s storage directory and passed to unlink(), enabling deletion of files via ../ traversal sequences.

Per Wordfence, an authenticated attacker with Subscriber-level access or higher can delete arbitrary files including wp-config.php; deleting wp-config.php can force WordPress into the installation flow and enable full site takeover. This is a high-signal class of issue for platform teams because WordPress plugins are a core application supply-chain surface, and “file delete” primitives frequently become full compromise when they can target config/bootstrap files.

Who is impacted

WordPress sites running the perfmatters plugin at versions <= 2.5.9.1.
Environments where untrusted users can obtain Subscriber (or higher) accounts (community sites, membership sites, compromised credentials, shared admin workflows).

Component	Affected versions (per Wordfence)	Patched version (per Wordfence)
WordPress plugin `perfmatters`	`<= 2.5.9.1`	`2.6.0`

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- "Remediation Update to version 2.6.0, or a newer patched version"
Inventory where perfmatters is deployed (production sites, staging clones, golden images, WP templates) and prioritize upgrades for internet-facing sites.
Treat this as a filesystem integrity risk: if you suspect abuse, review web logs for requests hitting the affected handler and check for unexpected deletions/modifications of wp-config.php and other bootstrap/config files.
Reduce blast radius while upgrading: ensure Subscriber (and other low-privileged) accounts are tightly controlled, and review whether any automation or integrations create user accounts with unnecessary roles.

Additional Information

CVE record: https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/4xxx/CVE-2026-4350.json
Perfmatters changelog (includes 2.6.0 release entry): https://perfmatters.io/docs/changelog/

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.