VYPR
Medium severity6.5NVD Advisory· Published Mar 5, 2026· Updated Apr 22, 2026

CVE-2026-2899

CVE-2026-2899

Description

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile() method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via addPublicAjaxAction() which creates both wp_ajax_ and wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the attachment_id parameter.

Note: The researcher described file deletion via the path parameter using sanitize_file_name(), but the actual code uses Protector::decrypt() for path-based deletion which prevents exploitation. The vulnerability is exploitable via the attachment_id parameter instead.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.