Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability via Path Traversal

A vulnerability in the Perfmatters plugin for WordPress allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server. This issue is present in all versions through 2.5.9.1. The vulnerability arises from the 'PMCS::action_handler()' method, which processes the 'delete' parameter from the '$_GET' superglobal without proper sanitization, authorization checks, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to the 'unlink()' function, enabling attackers to use '../' sequences to traverse directories and delete sensitive files, such as 'wp-config.php', potentially leading to a full site takeover.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server, with the potential to delete critical WordPress files, such as 'wp-config.php', which could disrupt the site's functionality and security.