Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment

CVE	CVE-2026-6344
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 08:16:03 UTC
Updated	2026-05-06 08:16:03 UTC
Description	The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.

Primary CVSS: v3.1 4.9 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N`
3.1	CNA	DECLARED	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Source	Vendor	Product	Version	Platforms
CNA	Techjewel	Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder	affected 6.2.1 semver	Not specified

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/Submis...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/N...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notificatio...	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Niv Kochan (en)

Source	Time	Event
CNA	2026-04-15T10:58:00.000Z	Vendor Notified
CNA	2026-05-05T17:53:19.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.