CVE-2026-4351 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 10, 2026
Perfmatters WordPress Plugin - Broken Access Control
Overview
Perfmatters WordPress plugin <= 2.5.9 contains an arbitrary file overwrite vulnerability caused by lack of authorization and nonce verification in PMCS::action_handler(), letting authenticated attackers with Subscriber-level access overwrite files, exploit requires Subscriber-level access or higher.
Severity & Score
Impact
Authenticated attackers can overwrite arbitrary files, potentially causing denial of service by corrupting critical server files.
Mitigation
Update to the latest version beyond 2.5.9.
References
Social Media Activity(2 posts)
š CVE-2026-4351 - High (8.1) The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` ha... š https://www.thehackerwire.com/vulnerability/CVE-2026-4351/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-4351 - High (8.1) The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` ha... š https://www.thehackerwire.com/vulnerability/CVE-2026-4351/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4351
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H