CVE-2026-2899
Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile() method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via addPublicAjaxAction() which creates both wp_ajax_ and wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the attachment_id parameter.
Note: The researcher described file deletion via the path parameter using sanitize_file_name(), but the actual code uses Protector::decrypt() for path-based deletion which prevents exploitation. The vulnerability is exploitable via the attachment_id parameter instead.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=6.1.17
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.