The vulnerability is a CWE-22 path traversal flaw. Fluent Forms versions up to and including 6.2.1 allow an authenticated administrator to read arbitrary files that the web‑server can access. The flaw originates in the getAttachments() method of EmailNotificationActions, where attacker‑supplied file‑upload URLs are converted to filesystem paths without proper validation. A bypass of the prefix check using traversal sequences, coupled with wp_normalize_path() not resolving '.' or '..' segments, permits a crafted URL of the form <upload_baseurl>/../../<target> to be resolved to an arbitrary target file. The resolved file is then attached to an outbound admin‑notification email via wp_mail(), enabling data disclosure. Although an unauthenticated user can trigger the email, the recipient address is not user‑controlled, so the attack remains limited to the administrator’s email.

The plugin "Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder" from techjewel is affected. All releases up to and including version 6.2.1 are impacted. The vulnerability is active only when an admin‑notification email is configured to attach a file‑upload field and an authenticated administrator submits a form containing a crafted file‑upload URL.

The CVSS score of 4.9 reflects moderate severity. No EPSS score is currently available, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires administrator‑level access to the WordPress site so that a form submission with a malicious file‑upload URL can be made. After the email is sent, the unvalidated file is attached, providing the attacker with the contents of any file readable by the web‑server, including sensitive configuration files. While the risk is moderate to low in terms of the broader attack surface, the impact of reading wp‑config.php makes the vulnerability significant for privileged users.