CVE-2026-2899

CVE-2026-2899 describes a missing authorization vulnerability in the Fluent Forms Pro Add On Pack plugin for WordPress, affecting all versions up to and including 6.1.17. The flaw resides in the deleteFile() method of the Uploader class, which is registered as an AJAX action accessible to both authenticated and unauthenticated users via addPublicAjaxAction(). The method lacks both nonce verification and capability checks, allowing any unauthenticated visitor to invoke the action.

Exploitation is straightforward: an attacker sends an AJAX request to the WordPress endpoint with the attachment_id parameter set to the ID of any WordPress media attachment. No authentication is required, and the attacker does not need any special privileges or network position. The researcher also noted a potential path-based deletion vector via the path parameter using sanitize_file_name(), but the code actually employs Protector::decrypt() for path-based deletion, which prevents exploitation of that vector [1].

The impact is significant: an unauthenticated attacker can delete arbitrary media attachments (images, PDFs, etc.) that have been uploaded to the WordPress site. This could lead to defacement of the site, loss of critical media, or denial of service if essential images or documents are removed. The vulnerability does not require any user interaction and can be exploited remotely.

A patched version of the plugin, 6.2.1 Pro, was released on April 16, 2026, as part of the changelog that includes various security hardening measures. Users are strongly advised to update to this version or later to mitigate the vulnerability [1].