CVE-2026-6344
Arbitrary File Read in Fluent Forms WordPress Plugin
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpfluent | fluent_forms | to 6.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fluent Forms plugin for WordPress has a vulnerability called Arbitrary File Read in versions up to and including 6.2.1. This happens because the plugin does not properly validate file paths in the getAttachments() method of EmailNotificationActions. Specifically, it resolves attacker-supplied file-upload URLs into filesystem paths without ensuring the path stays within the WordPress uploads directory.
An attacker with administrator access can bypass the prefix check on the raw URL by using directory traversal sequences (like ../../) that are not properly normalized. This allows them to read arbitrary files that the web server user can access, including sensitive files such as wp-config.php which contains database credentials and authentication salts.
The attacker submits a form with an admin notification configured to attach a file-upload field and supplies a crafted URL pointing outside the uploads directory. The targeted file is then attached to an outbound admin notification email via wp_mail(). Although the email can be triggered by unauthenticated users, the recipient of the email is not controlled by the attacker.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator access to read arbitrary files on the server that the web server user can access. This includes sensitive configuration files such as wp-config.php, which contains database credentials and authentication salts.
By obtaining such sensitive information, an attacker could compromise the security of the WordPress site, potentially leading to data breaches, unauthorized access, or further exploitation.
Since the vulnerability involves reading files and exposing sensitive data via email notifications, it could lead to leakage of confidential information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated administrators to read arbitrary files on the server, including sensitive files such as wp-config.php which contains database credentials and authentication salts.
Exposure of such sensitive information could lead to unauthorized access or data breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards.