CVE-2026-2899 is a Missing Authorization vulnerability (CWE-862) in the Fluent Forms Pro Add On Pack WordPress plugin developed by techjewel. The vulnerability exists in all versions up to and including 6.1.17 due to the deleteFile() method in the Uploader class lacking proper authorization controls such as nonce verification and capability checks. The AJAX action responsible for file deletion is registered via addPublicAjaxAction(), which creates both wp_ajax_ and wp_ajax_nopriv_ hooks, exposing the functionality to unauthenticated users. This allows remote attackers to invoke the deleteFile() method by supplying an attachment_id parameter, resulting in deletion of arbitrary WordPress media attachments without any authentication or user interaction. Although the researcher initially indicated a path-based deletion vector using the path parameter and sanitize_file_name(), the actual code path uses Protector::decrypt() for path-based deletion, which prevents exploitation through that vector. The vulnerability thus specifically affects media attachment deletion via attachment_id. The CVSS v3.1 base score is 6.5 (medium severity) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating network attack vector, low attack complexity, no privileges or user interaction required, and impacts on integrity and availability but not confidentiality. No patches or known exploits are currently available or observed in the wild. The vulnerability can be leveraged to delete media files, potentially disrupting website content and availability.

This vulnerability allows unauthenticated remote attackers to delete arbitrary media attachments from WordPress sites running the affected Fluent Forms Pro Add On Pack plugin. The deletion of media files can disrupt website content presentation, cause loss of important media assets, and degrade user experience. For organizations relying heavily on WordPress for content management, this can lead to partial denial of service or content integrity issues. Although it does not expose confidential data directly, the loss of media files can impact brand reputation and operational continuity. Attackers could automate exploitation at scale due to the lack of authentication and user interaction requirements. This risk is amplified for high-traffic or business-critical WordPress sites using this plugin. No known exploits in the wild reduce immediate risk, but the vulnerability remains exploitable and should be addressed promptly.

1. Immediately update the Fluent Forms Pro Add On Pack plugin to a patched version once released by the vendor. Monitor official channels for patch announcements. 2. Until a patch is available, restrict access to the WordPress admin-ajax.php endpoint using web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the deleteFile AJAX action. 3. Implement strict capability checks and nonce verification in custom code or plugin overrides if feasible to enforce authorization on AJAX actions. 4. Regularly audit WordPress media libraries and logs for unexpected deletions or suspicious AJAX requests. 5. Employ security plugins that can detect and block unauthorized AJAX calls. 6. Backup WordPress media files frequently to enable recovery from unauthorized deletions. 7. Limit plugin usage to trusted and actively maintained plugins to reduce attack surface.