<0.1% probability · 16.2th percentile — 2026-05-12
Affected versions
Perfmatters plugin for WordPress versions up to 2.5.9.1
Summary
This path traversal vulnerability allows arbitrary file deletion in the Perfmatters WordPress plugin. The PMCS::action_handler() method processes the user-supplied delete parameter without sanitization, authorization checks, or nonce verification. Low-privilege authenticated attackers can delete critical system files, which can lead to full WordPress site takeover.
Remediation
Update the Perfmatters plugin to a version newer than 2.5.9.1 immediately. If you cannot update right away, restrict low-privilege user access to your WordPress admin area. After updating, scan your site for signs of unauthorized access or file modification.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.