Attack Vectors

CVE-2026-2899 affects the WordPress plugin Fluent Forms Pro Add On Pack (slug: fluentformpro) in versions 6.1.17 and earlier, and is rated Medium severity (CVSS 6.5).

The primary attack path is over the public internet via WordPress AJAX endpoints. Because the vulnerable AJAX action is exposed to unauthenticated visitors, an attacker does not need a user account to attempt abuse.

An attacker can submit requests that reference an attachment_id and trigger deletion of WordPress media attachments. This can be performed at scale, which increases business risk for marketing websites that rely heavily on media assets (images, PDFs, brand downloads, campaign landing pages).

Security Weakness

The issue is a missing authorization check in the plugin’s file deletion workflow. Specifically, the deleteFile() method in the Uploader class lacks nonce verification and capability checks.

The plugin registers the AJAX action using addPublicAjaxAction(), which creates both authenticated and unauthenticated hooks (including wp_ajax_nopriv_). As a result, the deletion action is reachable without logging in.

Remediation is straightforward: update Fluent Forms Pro Add On Pack to version 6.1.18 or a newer patched version.

Technical or Business Impacts

Website integrity and brand experience: Deleting media attachments can break pages, forms, and campaign assets, leading to missing images, broken downloads, and an unprofessional customer experience.

Revenue and lead impact: Marketing funnels often depend on media-heavy landing pages. If key assets are removed, conversion rates can drop and paid campaigns may waste spend by driving traffic to degraded pages.

Operational disruption: Teams may need emergency content restoration, re-uploads, and site-wide QA, pulling marketing, web, and IT resources away from planned work.

Compliance and records risk: If attachments include policy documents, consent language, or compliance-related PDFs, their deletion can create audit and documentation gaps.

Availability degradation: While this is not described as a full site takeover, widespread attachment deletion can materially reduce site usability and content availability, especially for media libraries used across multiple pages.

Similar Attacks

Unauthenticated or poorly authorized WordPress plugin endpoints are a common source of business-impacting incidents. Examples include:

Wordfence: Critical zero-day vulnerability in the File Manager plugin exploited (2020)

Wordfence: Elementor Pro vulnerability write-up (2021)

Wordfence: Examples of mass exploitation of WordPress plugin vulnerabilities