Volerion logoVolerion
Volerion logoVolerion

Perfmatters WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Overwrite

Vulnerability

A path traversal vulnerability allowing arbitrary file overwrite has been identified in the Perfmatters plugin for WordPress, affecting all versions through 2.5.9. The issue arises in the 'PMCS::action_handler()' method, which processes bulk actions without proper authorization checks or nonce verification. Unsanitized values from the 'snippets' parameter are passed to 'Snippet::activate()' and 'Snippet::deactivate()', ultimately leading to 'Snippet::update()' and 'file_put_contents()' being called with the traversed path. This vulnerability enables authenticated attackers with Subscriber-level access or higher to overwrite arbitrary files on the server with a fixed PHP docblock content. Such actions could corrupt critical files like '.htaccess' or 'index.php', potentially causing a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites on the server, with the potential to disrupt website functionality by corrupting essential files.

Remediation

Users are advised to update the Perfmatters plugin to version 2.6.0 or later.

Added: Apr 10, 2026, 2:31 AM
Updated: Apr 10, 2026, 2:31 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
5.0
exploitability
5.4
remediation
7.7
relevance
5.6
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.