Fluent Forms WordPress Plugin Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file read has been identified in the Fluent Forms plugin for WordPress, affecting versions through 6.2.1. The issue arises from inadequate path validation in the 'getAttachments()' method of the 'EmailNotificationActions' class. This method improperly resolves attacker-supplied file-upload URLs into filesystem paths, failing to ensure that the paths remain within the WordPress uploads directory. Exploitation is possible for authenticated attackers with administrator privileges, who can read files accessible by the web server user, including sensitive files like 'wp-config.php', by submitting a form with a crafted file-upload URL. The vulnerability can be exploited by bypassing a prefix check with traversal sequences, as the normalization function does not properly handle certain path segments, allowing the 'file_exists()' function to resolve them at the kernel level.

Impact

Successful exploitation allows authenticated administrators to read arbitrary files on the server that are accessible to the web server user. This includes sensitive files like 'wp-config.php', which contains database credentials and authentication salts.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator rights can submit a form using the Fluent Forms plugin. The form must include a file-upload field in the admin notification settings. When submitting the form, a URL must be provided that points to the file-upload field, crafted to traverse directories and access arbitrary files on the server. Once the form is submitted, the attached file will be sent to the designated email address via the 'wp_mail()' function.

Remediation

Users are advised to update the Fluent Forms plugin to version 6.2.2 or later, where this vulnerability has been patched.