Perfmatters Arbitrary File Deletion: 200,000 Sites at Risk (CVE-2026-4350)
By WP Vanguard Team
A high-severity vulnerability in Perfmatters, one of the most popular WordPress performance optimization plugins, allows authenticated attackers with nothing more than a subscriber account to delete any file on the server. That includes wp-config.php, the single file that holds your database credentials, authentication keys, and every secret your WordPress installation depends on. Delete it, and your site drops into the installation wizard. From there, a full takeover is trivial.
The flaw is tracked as CVE-2026-4350 with a CVSS score of 8.1 (HIGH). It affects all versions of Perfmatters up to and including 2.5.9.1. A patch is available in version 2.6.0. If you are running Perfmatters, stop reading and update now. The rest of this article will be here when you get back.
What Is Perfmatters?
Perfmatters is a premium WordPress performance plugin with more than 200,000 active installations. It is widely used by agencies, developers, and site owners who need granular control over script loading, lazy loading, database optimization, and dozens of other frontend and backend performance tweaks.
The plugin is developed by Brian Jackson and is distributed exclusively through perfmatters.io. Because it is a premium plugin, it does not appear in the WordPress.org repository, which means automatic updates depend on the license key being active and the update mechanism within the plugin itself.
This matters for vulnerability response. Unlike free plugins where WordPress.org can push forced updates, premium plugins rely entirely on their own update infrastructure. If your license has expired or if the update check is disabled, you will not receive the patch automatically.
The Vulnerability: Path Traversal in action_handler
CVE-2026-4350 is a path traversal vulnerability that leads to arbitrary file deletion. It was reported to Wordfence on March 1, 2026, the vendor was notified on March 19, and public disclosure followed on April 2, 2026.
How Path Traversal File Deletion Works
Path traversal is one of the oldest classes of web vulnerability. It exploits the way applications construct file paths from user input. When a program takes a filename from a request parameter and passes it to a file operation without validating the path, an attacker can use directory traversal sequences like ../ to escape the intended directory and reach any file on the filesystem that the web server process can access.
For a file deletion vulnerability, the attack looks like this:
- The application expects a filename like
report.csv - The attacker sends
../../../../wp-config.phpinstead - The application prepends its storage directory, producing something like
/var/www/html/wp-content/cache/../../../../wp-config.php - The operating system resolves that path to
/var/www/html/wp-config.php - The file is deleted
The key ingredient is the absence of path validation. If the application does not check whether the resolved path stays within the intended directory, any file reachable by the web server user is fair game.
The Specific Flaw
The vulnerability exists in the PMCS::action_handler() method. This method processes the $_GET['delete'] parameter and passes it directly to PHP's unlink() function. Three critical safeguards are missing:
-
No sanitization. The filename is not stripped of directory traversal sequences. A value like
../../../wp-config.phppasses through untouched. -
No authorization check. The method does not verify whether the current user has permission to delete files. Any authenticated user, including subscribers, can trigger it.
-
No nonce verification. The method does not validate a WordPress nonce, which means the request is not tied to a specific user session. This opens the door to cross-site request forgery (CSRF) attacks where a malicious page tricks an authenticated user's browser into sending the delete request.
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The network attack vector and low attack complexity mean this can be exploited remotely with minimal effort. The low privilege requirement reflects the subscriber-level access needed. The high integrity and availability impacts reflect the ability to delete critical files and take down the site entirely.
Why This Is Especially Dangerous
Three factors combine to make CVE-2026-4350 worse than a typical file deletion bug.
Subscriber-level access is trivial to obtain. Any WordPress site with open user registration gives attackers a subscriber account for free. WooCommerce stores, membership sites, community forums, and any site using BuddyPress or bbPress typically have registration enabled. Even sites without public registration are at risk if any subscriber-level account has a weak or reused password.
wp-config.php deletion is a site takeover. When WordPress cannot find wp-config.php, it assumes it has never been configured and presents the installation wizard. An attacker who triggers the wizard can point WordPress at their own database, create a new administrator account, and take complete control of the site. The original database with all content and user data is still on the server, accessible once the attacker reconnects to it.
No nonce means CSRF is possible. Even if a site has no public registration, the missing nonce verification means an attacker can craft a malicious link or embed it in a page. If any authenticated user with subscriber or higher privileges visits that page, their browser sends the delete request with their valid session cookies. The user does not need to click anything or provide consent.
Who Is Actually at Risk
You are at risk if all of the following are true:
- You are running Perfmatters version 2.5.9.1 or earlier
- Your site has any user accounts with subscriber-level access or above
The risk is highest for:
- WooCommerce stores where customer accounts are standard
- Membership sites with open registration
- Community sites using BuddyPress, bbPress, or similar
- Multisite installations where a user on any site in the network may have sufficient privileges
Sites with no user registration and only administrator accounts are at lower risk but are still vulnerable to CSRF attacks if any admin visits a malicious page while logged in.
What You Can Do Right Now
-
Update to Perfmatters 2.6.0 immediately. Log into your Perfmatters account at perfmatters.io, download the latest version, and update through your WordPress dashboard. If your license has expired, renew it. This is not the time to delay.
-
Disable public user registration if your site does not require it. Go to Settings > General and uncheck "Anyone can register." For WooCommerce stores where customer accounts are necessary, proceed to step 3.
-
Audit your subscriber accounts. Go to Users > All Users and filter by the Subscriber role. Look for accounts you do not recognize, accounts with suspicious email addresses, or accounts created recently that you cannot explain. Delete any that are not legitimate.
-
Verify file integrity. Confirm that wp-config.php exists and has not been modified. Check that WordPress core files are intact. If you have a backup from before the vulnerability was disclosed, compare your current filesystem against it.
-
Run a security scan. Use a scanner that checks plugin versions against known vulnerabilities. WP Vanguard's free surface scan checks your plugins against a database of 38,000+ CVEs and will flag outdated Perfmatters installations immediately.
How to Tell If You Have Been Compromised
The signs of exploitation through this vulnerability are distinct:
-
WordPress installation wizard appears. If you visit your site and see the WordPress setup screen, wp-config.php has been deleted. This is the most visible indicator.
-
Critical files are missing. Check for the existence of wp-config.php, .htaccess, and other files in your WordPress root. Use your hosting file manager or SSH to verify.
-
New administrator accounts exist. If an attacker deleted wp-config.php and ran the installation wizard, they created a new admin account. Check your users list for unfamiliar administrators.
-
Database connection errors. If wp-config.php was deleted and no one ran the wizard, your site will show a "Error establishing a database connection" message.
-
Unexplained file modifications. Review recent file changes in your WordPress installation. Files modified within the last few days that you did not touch warrant investigation.
If you find evidence of compromise, restore wp-config.php from a backup immediately, change your database password, regenerate your WordPress salts, and audit all user accounts. Consider a full malware scan to check for additional backdoors.
The Broader Pattern
CVE-2026-4350 is not an isolated incident. The first week of April 2026 has seen multiple path traversal vulnerabilities affecting WordPress plugins:
-
wpForo Forum (CVE-2026-3666, CVSS 8.8) — The same class of vulnerability: arbitrary file deletion via path traversal, also exploitable at subscriber level. wpForo patched in version 2.4.17.
-
ProfilePress (CVE-2026-3309, CVSS 6.5) — Arbitrary shortcode execution through unsanitized billing field values. Still unpatched at time of writing, affecting 100,000+ sites.
Path traversal vulnerabilities persist because they are easy to introduce and easy to miss in code review. Any time user input touches a filesystem operation, the risk exists. The WordPress ecosystem is particularly vulnerable because plugins frequently handle file operations for features like caching, exports, uploads, and cleanup.
The fix is always the same: validate that the resolved file path stays within the intended directory, verify the user has permission to perform the operation, and validate a nonce to prevent CSRF. When all three checks are present, path traversal attacks fail. When any one is missing, the door is open.
What Happens When You Update
Perfmatters version 2.6.0 addresses CVE-2026-4350 by adding proper input sanitization, authorization checks, and nonce verification to the affected method. After updating, the action_handler() method will reject any request that contains path traversal sequences, comes from an unauthorized user, or lacks a valid nonce.
The update process is straightforward. Log into your WordPress dashboard, navigate to the plugins page, and update Perfmatters. If you manage multiple sites, prioritize those with open user registration or existing subscriber accounts.
For agencies managing client sites, this is a patch-now situation. The vulnerability is public, the technical details are known, and the exploitation requirements are low. Every day a site remains on version 2.5.9.1 or earlier is a day it is exposed.
Scan your site for vulnerable plugin versions | View pricing | WordPress vulnerability roundup: April 2026
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.