perfmatters-delete-path-traversal-wp-config

Perfmatters “delete” path traversal can erase wp-config.php, risking WordPress site takeover

What happened

The ugly detail you need to remember is simple: the Perfmatters WordPress plugin accepts a $_GET[‘delete’] value that can contain ../ sequences, and that can be used to delete wp-config.php. That exact failure was described in the advisory.

The vulnerability affects all Perfmatters versions up to and including 2.5.9.1. The PMCS::action_handler() method processes the delete parameter without sanitisation, authorization checks or nonce verification. An authenticated attacker with Subscriber-level access and above can delete arbitrary files on the server, including wp-config.php which, if removed, forces WordPress into the installation wizard and can allow full site takeover.

The public advisory did not include a disclosure timeline in the feed I was given, so when it was first reported has not been disclosed here.

Why this matters to businesses

If you run WordPress sites you’re on the hook. Site owners, hosting providers, customers and anyone whose service relies on that website can be affected, quickly. Losing wp-config.php is not just an outage, it exposes database credentials and secret keys if attackers read copies or backups, and it hands a clean route to reinstall or seize the site.

The business fallout is straightforward: downtime, emergency restore costs, potential data exposure, cancelled transactions, regulator questions, and a lot of exec time on incident calls. And yes, this is mostly avoidable if you don’t treat plugin updates as optional or give low-privilege accounts more capabilities than they need.

If you’ve got the same weakness, here’s what happens next

First, your site can drop into the WordPress installation wizard. That’s the attacker’s entry point to recreate or reconfigure the site and plant admin accounts. Second, deleted or readable wp-config.php content can reveal DB credentials and salts, which attackers can reuse against backups, staging sites or other systems that share credentials.

Given those facts, expect persistence, follow-on configuration changes, possible backdoors and phishing campaigns that piggyback on the compromised site. Recovery costs can spiral, not because of a dramatic new exploit, but because of hours spent rebuilding trust, cleaning hosts and rotating secrets.

What to do on Monday morning

1. Inventory: Find every WordPress instance and list whether Perfmatters is installed and which version it runs.

2. Patch or remove: If you can, update Perfmatters to a patched release. If no safe patch is available yet, disable the plugin or remove it from the filesystem immediately.

3. Lock down accounts: Audit users, remove unused Subscriber accounts, and restrict capabilities so low-level roles can’t trigger admin actions.

4. Check logs: Search webserver and application logs for requests containing delete= and ../ sequences, and investigate any suspicious hits or recent file deletions.

5. Rotate secrets and verify backups: Rotate database credentials and any keys stored in wp-config.php, then validate backups by restoring to an isolated host and testing the site.

6. Harden file access: Ensure wp-config.php is not writable by the webserver and add webserver rules to deny direct access to that file and to block obvious path traversal patterns.

7. Apply perimeter rules: Deploy WAF or web rules to block path traversal payloads and monitor for exploitation attempts.

8. Review third-party controls: Add plugin security checks to supplier management so the same mistake doesn’t travel across other sites.

Where ISO standards fit, without the sales pitch

An ISO-aligned information security management system reduces the chance of this turning into a multi-day crisis. For example an asset and supplier control linked to an ISO 27001 approach forces you to track installed plugins, assign risk ratings and require security evidence before deployment. That means you catch risky plugins before they go live.

When continuity and recovery matter, having a tested continuity plan helps you fail over or restore quickly. A structured BCMS, like the one covered by ISO 22301, ensures backups and restores are operational and reduces outage time.

For baseline technical controls and a practical certification route that maps small teams to clear controls, see the IASME guidance, which helps make basic patching, access control and supplier checks routine rather than heroic.

Finally, treat plugin procurement as a supplier risk issue, not just a developer convenience. Record versions, run code review for popular plugins and require rapid patching windows for anything that touches configuration or file operations.

Act now, because the attack path here is short and obvious: Perfmatters’ delete parameter plus traversal sequences equals serious trouble if unpatched.