CVE-2026-6344

MEDIUM EPSS 42.1%
Published May 6, 20261mo ago · Modified Jun 17, 20262w ago
4.9 CVSS 3.1
Medium
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.

CVSS Details

Base Score
4.9
Exploitability
1.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
42.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

References 10

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php#L17
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/SubmissionHandler.php#L17
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L121
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L130
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L133
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L135
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L137
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L151
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412f6e1214?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.