CVE-2026-6344

Name of the Vulnerable Software and Affected Versions Fluent Forms versions prior to 6.2.2

Description Insufficient path validation in the getAttachments() function of EmailNotificationActions allows authenticated attackers with administrator access to read arbitrary files accessible by the web-server user, such as wp-config.php containing database credentials and authentication salts. The issue occurs because attacker-supplied file-upload URLs are resolved into filesystem paths without ensuring the path remains within the WordPress uploads directory. A prefix check using strpos() can be bypassed with traversal sequences, as wp normalize path() does not resolve ... segments, which are subsequently resolved by file exists() at the kernel level. An attacker can exploit this by submitting a form where the admin notification is configured to attach a file-upload field and providing a crafted URL in the format <upload baseurl>/../../<target> as the file-field value. The targeted file is then attached to the outbound admin-notification email via wp mail().

Recommendations Update the plugin to a version later than 6.2.1.