CVE-2026-13251
HighCVSS 7.5Exploitation Probability (EPSS)
Elevated risk53th percentile — higher than 53% of all known CVEs
Summary
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to and including 2.6.4 via the 's' parameter. This allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.
Risk Assessment
The risk involves potential leakage of confidential data such as configuration files, passwords, or API keys, which could lead to further attacks on the organization.
Recommendation
It is recommended to immediately update the Perfmatters plugin to the latest version and disable the Local Google Fonts feature and RSS feed links if not required.
Original NVD description (English source)
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.

