Perfmatters < 2.6.0 – Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter | CVE 2026-4351 | Plugin Vulnerabilities

Description

The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.

Affects Plugins

Fixed in 2.6.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

hoshino

Verified

No

WPVDB ID

547e1ec2-26a3-410c-8b18-b22ca2d18efd

Timeline

Publicly Published

2026-04-09 (about 1 month ago)

Added

2026-04-09 (about 1 month ago)

Last Updated

2026-04-10 (about 1 month ago)

Other

Published

Title

Published

2025-07-21

Title

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) < 3.2.9 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion

Published

2024-08-05

Title

WPBakery < 7.8 - Authenticated (Author+) Local File Inclusion

Published

2025-07-17

Title

Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion

Published

2024-03-26

Title

The Plus Addons for Elementor < 5.4.2 - Contributor+ LFI

Published

2014-08-01

Title

wp-amasin-the-amazon-affiliate-shop 0.9.6 - reviews.php url Parameter Local File Inclusion