Primary

Context

Fluent Forms Pro Missing Authorization Vulnerability Allowing Unauthenticated Deletion of Media Attachments

Vulnerability

A vulnerability exists in the Fluent Forms Pro Add On Pack for WordPress, in all versions through 6.1.17, allowing unauthenticated users to delete arbitrary media attachments. This issue arises from the 'deleteFile()' method in the 'Uploader' class, which lacks proper nonce verification and capability checks. The vulnerability is exploited through an AJAX action that is available to both authenticated and unauthenticated users, using the 'attachment_id' parameter to target specific media items for deletion.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of WordPress media attachments, potentially leading to loss of important files or disruption of site content.

Remediation

Users can update to Fluent Forms Pro Add On Pack version 6.1.18 or later, where this vulnerability has been patched.

Added: Mar 5, 2026, 4:18 AM

Updated: Mar 5, 2026, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fluent Forms Pro Missing Authorization Vulnerability Allowing Unauthenticated Deletion of Media Attachments

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating