The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile() method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via addPublicAjaxAction() which creates both wp_ajax_ and wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the attachment_id parameter.
Note: The researcher described file deletion via the path parameter using sanitize_file_name(), but the actual code uses Protector::decrypt() for path-based deletion which prevents exploitation. The vulnerability is exploitable via the attachment_id parameter instead.