Wordfence Blog

200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Perfmatters WordPress Plugin

István Márton · 2026-04-02 · Read original ↗

ATT&CK techniques detected

4 predictions

T1070.004File Deletion

80%

"get [ ' export ' ] ) ) { self : : export ( $ _ get [ ' export ' ] ) ; } / / delete snippet if (! empty ( $ _ get [ ' delete ' ] ) ) { / / vars $ file _ name = $ _ get [ ' delete ' ] ; $ file = self : : get _ storage _ dir ( ). ' / '. $ file _ name ; / / file not found if (! is _ …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

75%

". 1 cvss rating 8. 1 ( high ) cve - id cve - 2026 - 4350 affected version ( s ) < = 2. 5. 9. 1 patched version 2. 6. 0 bounty $ 3, 726. 00 affected software perfmatters [ perfmatters ] researcher h0xilo the perfmatters plugin for wordpress is vulnerable to arbitrary file deletion…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

42%

"17, 2026 – we initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion. march 17, 2026 – the vendor registered on our wordfence vulnerability management portal for wordpress vendors. march 19, 2026 – the full disclosure details…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

32%

"##fence care, and wordfence response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the wordfence firewall ’ s built - in local file inclusion protection. we contacted the forgemedia llc team on…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

On March 1st, 2026, we received a submission for an Arbitrary File Deletion vulnerability in Perfmatters, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

The post 200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Perfmatters WordPress Plugin appeared first on Wordfence.