CVE-2026-2899
Missing Authorization in Fluent Forms Pro Allows Unauthenticated Media Deletion
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluent_forms | fluent_forms_pro_add_on_pack | to 6.1.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fluent Forms Pro Add On Pack plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 6.1.17. This happens because the deleteFile() method in the Uploader class does not perform nonce verification or capability checks.
The AJAX action for deleting files is registered in a way that allows both authenticated and unauthenticated users to trigger it. As a result, an unauthenticated attacker can delete arbitrary WordPress media attachments by specifying the attachment_id parameter.
Although there was a mention of file deletion via a path parameter, the actual code prevents exploitation through that vector, so the vulnerability is exploitable only via the attachment_id parameter.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to delete arbitrary media attachments from a WordPress site using the vulnerable plugin. This can lead to loss of important media files, disruption of website content, and potential damage to the site's integrity.
Since the attacker does not need to be authenticated, the risk is higher as anyone can exploit this to remove media files without permission.
The CVSS score of 6.5 indicates a medium severity impact, with the main impact being integrity and availability loss.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthenticated deletion of WordPress media attachments via the `attachment_id` parameter in AJAX requests. To detect exploitation attempts on your system or network, you should monitor HTTP requests for suspicious AJAX calls targeting the vulnerable plugin's endpoints."}, {'type': 'list_item', 'content': 'Check your web server logs for POST requests containing `attachment_id` parameters to AJAX endpoints related to Fluent Forms Pro Add On Pack.'}, {'type': 'list_item', 'content': "Use command-line tools like grep to search access logs for suspicious AJAX calls, for example: `grep 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'attachment_id='`"}, {'type': 'list_item', 'content': 'Monitor for unexpected media deletions in WordPress, which may indicate exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Fluent Forms Pro Add On Pack plugin to a version later than 6.1.17 where the issue is fixed.
If an update is not immediately possible, restrict access to the AJAX endpoints by limiting public access or implementing additional authorization checks.
Monitor your WordPress media library for unauthorized deletions and restore any lost media from backups.