PT-2026-23130 · WordPress · Fluent Forms Pro Add On Pack+1
Prickly Cactus
·
Published
2026-03-05
·
Updated
2026-03-08
·
CVE-2026-2899
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Fluent Forms Pro Add On Pack versions up to and including 6.1.17
Description
The Fluent Forms Pro Add On Pack plugin for WordPress has a missing authorization issue. The
deleteFile() method within the Uploader class does not properly verify nonces or check user capabilities. An AJAX action is publicly registered, creating both wp ajax and wp ajax nopriv hooks. This allows unauthenticated attackers to delete arbitrary WordPress media attachments by manipulating the attachment id parameter. The vulnerability is exploitable through the attachment id parameter, not the path parameter as initially reported.Recommendations
Update Fluent Forms Pro Add On Pack to a version later than 6.1.17.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fluent Forms Pro Add On Pack
Wordpress