CVE-2026-2428

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fluentforms.com/docs/changelog/#2-toc-title
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-27 04:16

Updated : 2026-02-27 14:06

NVD link : CVE-2026-2428

Mitre link : CVE-2026-2428

CVE.ORG link : CVE-2026-2428

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2026-2428", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T04:16:03.600", "references": [{"url": "https://fluentforms.com/docs/changelog/#2-toc-title", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as \"paid\" and triggering post-payment automation (emails, access grants, digital product delivery)."}, {"lang": "es", "value": "El plugin Fluent Forms Pro Add On Pack para WordPress es vulnerable a la Verificaci\u00f3n Insuficiente de Autenticidad de Datos en todas las versiones hasta la 6.1.17, inclusive. Esto se debe a que la verificaci\u00f3n de PayPal IPN (Notificaci\u00f3n Instant\u00e1nea de Pago) est\u00e1 deshabilitada por defecto (disable_ipn_verification tiene un valor predeterminado de 'yes' en PayPalSettings.php). Esto permite que atacantes no autenticados env\u00eden notificaciones PayPal IPN falsificadas al endpoint IPN de acceso p\u00fablico, marcando las entregas de formularios no pagadas como 'pagadas' y activando la automatizaci\u00f3n posterior al pago (correos electr\u00f3nicos, concesi\u00f3n de accesos, entrega de productos digitales)."}], "lastModified": "2026-02-27T14:06:37.987", "sourceIdentifier": "security@wordfence.com"}