CVE-2026-6344 Overview
CVE-2026-6344 is a path traversal vulnerability [CWE-22] in the Fluent Forms plugin for WordPress, affecting all versions up to and including 6.2.1. The flaw resides in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without proper containment validation. Authenticated attackers with administrator access can read arbitrary files accessible to the web-server user, including wp-config.php containing database credentials and authentication salts. The resolved file is silently attached to outbound admin notification emails sent via wp_mail().
Critical Impact
Authenticated administrators can exfiltrate sensitive server files such as wp-config.php, exposing database credentials and WordPress authentication salts.
Affected Products
- Fluent Forms plugin for WordPress, versions up to and including 6.2.1
- WordPress sites with admin-notification email actions configured to attach file-upload fields
- Hosting environments where the web-server user can read sensitive configuration files
Discovery Timeline
- 2026-05-06 - CVE-2026-6344 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-6344
Vulnerability Analysis
The vulnerability stems from insufficient path validation when Fluent Forms processes file-upload field values during email notification dispatch. The getAttachments() method receives a URL submitted with a form, attempts to confirm it points inside the WordPress uploads directory, and then converts it to a filesystem path. The validation logic relies on a strpos() prefix check against the raw URL, wp_normalize_path() for path canonicalization, and file_exists() for existence verification.
None of these primitives reject directory traversal sequences. strpos() only confirms that the uploads base URL appears as a prefix and does not detect ..\..\ segments appended afterward. wp_normalize_path() converts backslashes to forward slashes but does not collapse ../ traversal segments. The kernel resolves the resulting path when file_exists() is called, allowing access to files outside the uploads directory. The resolved file is then attached to the admin notification email.
Root Cause
The root cause is reliance on string-prefix matching instead of canonical-path containment checks. A correct implementation would resolve the path with realpath() and verify the result remains inside the uploads directory. The patched version (WordPress changeset #3513845) replaces the flawed validation in EmailNotificationActions.php with stricter path containment logic.
Attack Vector
An authenticated administrator configures a form whose admin notification action attaches a file-upload field. The attacker submits the form with a crafted URL of the form <upload_baseurl>/../../<target> as the file-field value. The getAttachments() routine prefix-matches the upload base URL, normalizes path separators, and resolves the traversal at the filesystem layer. The targeted file, such as /var/www/html/wp-config.php, is attached to the outbound email and delivered to the configured admin recipient. The email recipient is not attacker-controlled, which limits direct exfiltration, but an administrator who configures their own notification address effectively reads any file the web-server user can access.
No verified public exploit code is available. See the Wordfence Vulnerability Report and the WordPress Email Notification Action source for technical details.
Detection Methods for CVE-2026-6344
Indicators of Compromise
- Form submissions where file-upload field values contain ../ or ..\ traversal sequences targeting paths outside the WordPress uploads directory
- Outbound wp_mail() notifications carrying attachments with names matching sensitive files such as wp-config.php, .env, or /etc/passwd
- Admin-notification email rules recently modified to include file-upload field attachments combined with anomalous form submissions
Detection Strategies
- Inspect web access logs for POST requests to Fluent Forms submission endpoints containing URL-encoded traversal patterns such as %2E%2E%2F in file-field parameters
- Audit the wp_fluentform_submissions table for stored input values containing ../ sequences in file-upload columns
- Correlate Fluent Forms admin notification configurations with outbound mail server logs to identify attachments resolving to non-uploads directories
Monitoring Recommendations
- Enable WordPress activity logging on plugin and form configuration changes, particularly to EmailNotificationActions settings
- Monitor file system access by the web-server user for reads against wp-config.php and other sensitive paths originating from PHP-FPM workers handling Fluent Forms requests
- Alert on outbound SMTP messages from the WordPress host containing attachments that fall outside the wp-content/uploads directory
How to Mitigate CVE-2026-6344
Immediate Actions Required
- Update the Fluent Forms plugin to the version that includes WordPress changeset #3513845 or later
- Audit administrator accounts and remove unused or shared admin sessions; this vulnerability requires administrator-level authentication
- Rotate WordPress authentication salts in wp-config.php and database credentials if compromise is suspected
- Review all configured admin email notifications for unexpected file-upload attachments
Patch Information
The vendor addressed the issue in the Fluent Forms plugin source tree via changeset #3513845, which corrects the path validation in EmailNotificationActions.php. Site administrators should update the plugin through the WordPress dashboard to the fixed version above 6.2.1.
Workarounds
- Temporarily remove or disable Fluent Forms admin notifications that attach file-upload fields until the patch is applied
- Restrict the WordPress administrator role to a minimal set of trusted users and enforce multi-factor authentication on those accounts
- Apply file system permissions so that the web-server user cannot read wp-config.php outside of normal WordPress bootstrap, where supported by the hosting configuration
# Configuration example: tighten wp-config.php permissions
chown root:www-data /var/www/html/wp-config.php
chmod 640 /var/www/html/wp-config.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
