200,000+ Sites at Risk: Perfmatters Flaw Enables Full WordPress Site Takeover

Researchers expose a critical vulnerability in Perfmatters, a popular performance-optimization WordPress plugin with over 200,000 active installations. The flaw, identified as CVE-2026-4350, carries a CVSS score of 8.1 and provides a direct path for attackers to dismantle a website from the inside out.

Discovered by a researcher known as “hoshino” through the Wordfence Bug Bounty Program.

At the heart of the issue is the plugin’s PMCS::action_handler() method. This function is designed to manage “snippets”—small pieces of code used for site customization. However, researchers found that this method was processing the $_GET[‘delete’] parameter without three essential security pillars: sanitization, authorization checks, or nonce verification.

Because these checks were missing, an unauthenticated attacker could remotely trigger the “delete” action. Even worse, the function did not restrict file paths to the intended snippet folder.

“This means that attackers can specify any file on the server to be read and then subsequently deleted… including the site’s wp-config.php file,” the report explains.

The ability to delete arbitrary files via path traversal is more than just a data-loss risk—it is a stepping stone to full server control. By using ../ sequences, an attacker can reach and destroy the wp-config.php file, which contains the site’s database credentials and core settings.

Once this file is gone, the consequences are immediate:

• The Reset: Deleting wp-config.php “forces the site into a setup state”.
• The Hijack: When a legitimate user (or the attacker) visits the site, they are greeted by the WordPress installation wizard.
• The Takeover: The attacker can then complete the installation by connecting the site to a database under their own control, effectively seizing the entire platform.

The vendor has moved quickly to patch the hole. The latest version of Perfmatters introduces three critical layers of defense:

• Sanitization: A new helper function, normalize_snippet_file_name(), restricts file paths to the proper subdirectory.
• Capability Checks: The action_handler() function now verifies that the user is an administrator before allowing any changes.
• Nonce Verification: The addition of nonces ensures that requests are legitimate and intentional.

We urge users to update their sites with the latest patched version of Perfmatters, version 2.6.0 as soon as possible.