{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4351", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T17:19:49.858Z", "datePublished": "2026-04-10T01:24:59.539Z", "dateUpdated": "2026-04-10T15:54:52.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:59.539Z"}, "affected": [{"vendor": "perfmatters", "product": "Perfmatters", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`."}], "title": "Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve"}, {"url": "https://perfmatters.io/docs/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-19T20:20:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T11:55:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T15:51:30.180464Z", "id": "CVE-2026-4351", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T15:54:52.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T15:51:30.180464Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T15:51:34.994Z"}}], "cna": {"title": "Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "perfmatters", "product": "Perfmatters", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-19T20:20:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-09T11:55:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve"}, {"url": "https://perfmatters.io/docs/changelog/"}], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:59.539Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4351", "state": "PUBLISHED", "dateUpdated": "2026-04-10T15:54:52.222Z", "dateReserved": "2026-03-17T17:19:49.858Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-10T01:24:59.539Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`."}], "id": "CVE-2026-4351", "lastModified": "2026-04-10T02:16:03.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:03.553", "references": [{"source": "security@wordfence.com", "url": "https://perfmatters.io/docs/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Perfmatters", "source": "cna", "vendor": "perfmatters"}, "product": "perfmatters", "vendor": "perfmatters"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T02:22:07.535786+00:00", "value": {"mitigation_remediation": ["Update the Perfmatters plugin to the latest version (2.6.0 or later).", "Verify that all sites are running the patched plugin and no older versions remain.", "If an immediate update is impossible, disable the plugin or remove the 'snippets' functionality to block the vulnerable endpoint."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Overwrite"}, "threat_synthesis": {"affected_systems": "WordPress installations using the Perfmatters plugin, versions 2.5.9 and earlier, are affected. Any site running one of those releases without an updated version is vulnerable.", "description_and_impact": "The flaw in the Perfmatters WordPress plugin allows an authenticated user with Subscriber level or higher to supply arbitrary paths through the 'snippets' parameter. Because the action handler processes these paths without sanitization or authorization checks, the plugin writes directly to the specified location using file_put_contents. This path traversal leads to overwriting of critical files such as .htaccess or index.php, potentially causing denial of service or enabling remote code execution if the attacker writes malicious content.", "risk_and_exploitability": "The vulnerability scores a 8.1 on the CVSS scale, indicating high severity. The EPSS score is not available, and it is not listed in CISA\u2019s KEV catalog. Likely exploitation requires a user authenticated as Subscriber or higher, and the attacker can trigger the overwrite by directing the plugin to process a crafted 'snippets' request. Because the plugin lacks any nonce verification, the attack can be performed remotely if the site allows authenticated actions via the baseline login mechanism."}}}}, "created": "2026-04-10T08:36:09.733689+00:00", "updated": "2026-04-10T09:27:09.562430+00:00", "vendors": ["perfmatters", "perfmatters$PRODUCT$perfmatters", "wordpress", "wordpress$PRODUCT$wordpress"]}