Fluent Forms < 6.2.2 - Admin+ Arbitrary File Read via Path Traversal

Description

The plugin is vulnerable to Arbitrary File Read via path traversal in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve "..\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with Administrator-level access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.