CVE-2026-6344: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.
AI Analysis
Technical Summary
The Fluent Forms plugin for WordPress suffers from an arbitrary file read vulnerability due to improper pathname limitation (CWE-22) in the getAttachments() method of EmailNotificationActions. The method attempts to validate file-upload URLs with a strpos() prefix check and wp_normalize_path(), but these checks can be bypassed using directory traversal sequences (e.g., '../../'). As a result, authenticated attackers with administrator privileges can supply crafted URLs that resolve to files outside the WordPress uploads directory. These files are then attached to admin notification emails via wp_mail(), exposing their contents. The vulnerability affects versions up to and including 6.2.1. There is no vendor-provided patch or official remediation at this time.
Potential Impact
An authenticated attacker with administrator access can read arbitrary files on the web server that are readable by the web-server user. This includes sensitive files such as wp-config.php, which contains database credentials and authentication salts. The exposure occurs through admin notification emails that attach files from attacker-supplied URLs. While the email trigger can be initiated by unauthenticated users, the email recipient is fixed and not attacker-controlled, limiting the scope of data exfiltration. The vulnerability does not impact integrity or availability, only confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict administrator access to trusted users only and avoid configuring admin notification emails to attach file-upload fields. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2026-6344: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in techjewel Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Description
The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Fluent Forms plugin for WordPress suffers from an arbitrary file read vulnerability due to improper pathname limitation (CWE-22) in the getAttachments() method of EmailNotificationActions. The method attempts to validate file-upload URLs with a strpos() prefix check and wp_normalize_path(), but these checks can be bypassed using directory traversal sequences (e.g., '../../'). As a result, authenticated attackers with administrator privileges can supply crafted URLs that resolve to files outside the WordPress uploads directory. These files are then attached to admin notification emails via wp_mail(), exposing their contents. The vulnerability affects versions up to and including 6.2.1. There is no vendor-provided patch or official remediation at this time.
Potential Impact
An authenticated attacker with administrator access can read arbitrary files on the web server that are readable by the web-server user. This includes sensitive files such as wp-config.php, which contains database credentials and authentication salts. The exposure occurs through admin notification emails that attach files from attacker-supplied URLs. While the email trigger can be initiated by unauthenticated users, the email recipient is fixed and not attacker-controlled, limiting the scope of data exfiltration. The vulnerability does not impact integrity or availability, only confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict administrator access to trusted users only and avoid configuring admin notification emails to attach file-upload fields. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-15T10:43:33.977Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69faec1ccbff5d8610b39a01
Added to database: 5/6/2026, 7:22:04 AM
Last enriched: 5/6/2026, 7:37:00 AM
Last updated: 5/7/2026, 6:18:22 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.