CVE-2026-6344 - Changeset Plugin
CVE-2026-6344
The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape /../../ as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.
CVE-2026-6344
MEDIUM
CVSS 4.9
Published 2026-05-06
Updated 2026-05-06
AI Risk Elevated (57/100)
Active Exploit: No strong signal
Published Exploit: No public exploit references
Priority: P3 Priority
Severity Band
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected Components
3
Reference Links
10
AI Risk Engine
Elevated (57/100)
Exploitability
High
Active Exploitation
No strong signal
Published Exploit Status
No public exploit references
AI Context
Machine-generated threat intelligence
AI
Updated 1 day ago
AI enriched 1 day ago (2026-05-24 00:20 UTC)
Technical Summary
The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel…
Potential Impact
Severity is MEDIUM (CVSS 4.9). Depending on deployment context, affected components may be exposed to unauthorized actions or data integrity risk.
Exploitability Assessment
Exploitability is assessed as High based on remote code execution potential, low-bar exploit prerequisites.
Primary risk drivers: remote code execution potential, low-bar exploit prerequisites
Mitigation Recommendations
Validate affected product versions, prioritize patching, and monitor references for vendor remediation guidance. If immediate patching is not possible, apply compensating controls and limit exposure of vulnerable surfaces.
Detection & Monitoring
Track authentication anomalies, unexpected file writes, and suspicious plugin API activity around affected components.
Business Impact Lens
AI risk score 57/100 (Elevated, High) with priority P3 Priority. Prioritize remediation where affected components process customer data, admin sessions, or Internet-exposed workflows.
