CVE-2026-2899

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro Add On Pack versions up to and including 6.1.17

Description The Fluent Forms Pro Add On Pack plugin for WordPress has a missing authorization issue. The deleteFile() method within the Uploader class does not properly verify nonces or check user capabilities. An AJAX action is publicly registered, creating both wp ajax and wp ajax nopriv hooks. This allows unauthenticated attackers to delete arbitrary WordPress media attachments by manipulating the attachment id parameter. The vulnerability is exploitable through the attachment id parameter, not the path parameter as initially reported.

Recommendations Update Fluent Forms Pro Add On Pack to a version later than 6.1.17.