Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Fluent Forms Pro Add On Pack plugin can delete WordPress files without permission
CVE-2026-2899
Summary
A security issue in the Fluent Forms Pro Add On Pack plugin for WordPress allows unauthenticated users to delete any WordPress file, including media attachments. This could lead to data loss or unauthorized access to sensitive content. Update to the latest version, 6.1.18, to fix this issue.
Original title
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader`...
Original description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter.
Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead.
Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026