CVE-2026-2899 in Fluent Forms Pro Add On Pack Plugin
Summary
by MITRE • 03/05/2026
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter.
Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified in CVE-2026-2899 affects the Fluent Forms Pro Add On Pack plugin for WordPress, specifically targeting versions up to and including 6.1.17. This represents a critical authorization flaw that undermines the plugin's security posture and exposes WordPress installations to potential exploitation. The vulnerability stems from insufficient access controls within the plugin's file deletion functionality, creating a pathway for unauthorized users to manipulate the system's media management capabilities. The flaw exists within the `Uploader` class where the `deleteFile()` method operates without proper authentication verification, making it a prime target for attackers seeking to compromise WordPress sites through media file manipulation.
The technical implementation of this vulnerability involves the `deleteFile()` method in the `Uploader` class which fails to implement proper nonce verification and capability checks. The plugin registers its AJAX action through `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks, effectively removing the requirement for authentication to access the file deletion functionality. This registration pattern allows the vulnerability to be exploited through unauthenticated requests, as the system accepts file deletion commands regardless of user authorization status. The specific parameter `attachment_id` serves as the attack vector, enabling attackers to specify which media files they wish to delete from the WordPress installation.
The operational impact of this vulnerability extends beyond simple file deletion, as it allows attackers to remove arbitrary WordPress media attachments from the system. This capability can result in significant data loss, disruption of site functionality, and potential compromise of site integrity. Attackers can leverage this vulnerability to remove critical media files including images, documents, and other attachments that may be essential for site operations or contain sensitive information. The vulnerability also enables potential denial of service conditions where attackers systematically delete media files to disrupt site functionality or remove evidence of their activities.
The security implications of this vulnerability align with CWE-863, which addresses "Incorrect Authorization" in software systems. This classification reflects the fundamental failure in access control mechanisms that allows unauthorized users to perform privileged operations. The vulnerability also maps to ATT&CK technique T1485, which covers "Data Destruction" and represents how attackers can leverage authorization flaws to compromise system data integrity. Organizations using affected versions of the Fluent Forms Pro Add On Pack plugin face increased risk of data loss, site disruption, and potential compromise of their WordPress installations through this authorization bypass.
Mitigation strategies for this vulnerability require immediate patching of the affected plugin to version 6.1.18 or later, which addresses the missing authorization checks in the `Uploader` class. System administrators should also implement additional security measures including monitoring for unauthorized file deletion activities, implementing proper access controls for AJAX endpoints, and conducting regular security audits of WordPress plugins. The fix should include nonce verification and capability checks within the `deleteFile()` method to ensure that only authorized users can perform file deletion operations. Additionally, organizations should consider implementing web application firewalls and security monitoring solutions that can detect and prevent exploitation attempts targeting similar authorization flaws in their WordPress environments.