200,000 WordPress Sites at Risk from Arbitrary File Deletion Flaw in Perfmatters Plugin
A critical arbitrary file deletion vulnerability (CVE-2026-4350) in the Perfmatters WordPress plugin, affecting over 200,000 sites, allows unauthenticated attackers to delete arbitrary files including wp-config.php via path traversal.
A critical arbitrary file deletion vulnerability has been discovered in the Perfmatters WordPress plugin, putting more than 200,000 active installations at risk of complete site takeover. Tracked as CVE-2026-4350 and carrying a CVSS score of 8.1 (High), the flaw resides in the plugin's snippet management functionality and can be exploited by unauthenticated attackers with no special privileges.
The vulnerability was responsibly disclosed to Wordfence on March 1, 2026, by researcher hoshino, who earned a $3,726 bounty through the Wordfence Bug Bounty Program. The issue affects all versions of Perfmatters up to and including 2.5.9.1. The developer, forgemedia LLC, released a patched version (2.6.0) on March 25, 2026, after being notified through the Wordfence Vulnerability Management Portal.
At the technical level, the flaw exists in the `PMCS::action_handler()` method, which processes the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the plugin's storage directory path and passed directly to the `unlink()` PHP function. By using `../` path traversal sequences, an attacker can delete any file on the server, including the critical `wp-config.php` configuration file.
Deleting `wp-config.php` forces WordPress into its installation wizard, effectively allowing an attacker to reconfigure the database connection and take full control of the site. From there, remote code execution becomes possible, enabling the attacker to install backdoors, deface content, or pivot to other systems on the same server.
The vulnerability is particularly dangerous because it requires no authentication. The `action_handler()` function lacks capability checks and nonce verification, meaning any visitor to the site — including unauthenticated users — can trigger the delete operation simply by crafting a malicious URL. The `delete()` function also fails to restrict file paths to the intended snippet folder, making directory traversal trivial.
Wordfence has confirmed that all Wordfence Premium, Wordfence Care, Wordfence Response, and free-tier users are already protected against exploitation by the Wordfence firewall's built-in Local File Inclusion protection. However, sites not using Wordfence or relying solely on the plugin's own defenses remain exposed until they update to version 2.6.0.
This vulnerability follows a pattern of dangerous file-deletion flaws in popular WordPress plugins. Earlier in 2026, a similar arbitrary file deletion vulnerability in the Funnel Builder plugin was actively exploited to inject payment skimmers into WooCommerce checkout pages. Site administrators are strongly urged to update Perfmatters to version 2.6.0 immediately and to audit their sites for signs of compromise.