Home

Description

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead.

PUBLISHED Reserved 2026-02-20 | Published 2026-03-05 | Updated 2026-03-05 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-20:Vendor Notified
2026-03-04:Disclosed

Credits

Prickly Cactus finder

References

www.wordfence.com/...-abd7-4061-835d-038b765c68a6?source=cve

fluentforms.com/docs/changelog/

cve.org (CVE-2026-2899)

nvd.nist.gov (CVE-2026-2899)

Download JSON