CVE-2026-2428
Insufficient Data Verification in Fluent Forms Pro Enables Payment Forgery
Publication date: 2026-02-27
Last updated on: 2026-02-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpfluent | fluent_forms_pro_add_on_pack | to 6.1.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fluent Forms Pro Add On Pack plugin for WordPress has a vulnerability related to insufficient verification of data authenticity. Specifically, the PayPal IPN (Instant Payment Notification) verification is disabled by default, which means that unauthenticated attackers can send fake PayPal IPN notifications to the plugin's publicly accessible IPN endpoint.
Because of this, attackers can mark unpaid form submissions as "paid" and trigger automated post-payment actions such as sending emails, granting access, or delivering digital products without actual payment.
How can this vulnerability impact me? :
This vulnerability can allow attackers to fraudulently mark payments as completed without actually paying. As a result, you may experience unauthorized access to paid content, delivery of digital products without payment, and triggering of automated processes like emails or access grants.
This can lead to financial loss, unauthorized distribution of products or services, and potential damage to your business reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the PayPal IPN verification is disabled in the Fluent Forms Pro Add On Pack plugin for WordPress. Specifically, you need to verify if the setting `disable_ipn_verification` is set to 'yes' in the `PayPalSettings.php` file.
You can search for this setting in the plugin files using commands like:
- grep -r "disable_ipn_verification" /path/to/wordpress/wp-content/plugins/fluent-forms-pro-add-on-pack/
- grep -r "disable_ipn_verification = 'yes'" /path/to/wordpress/wp-content/plugins/fluent-forms-pro-add-on-pack/
Additionally, monitoring network traffic for unexpected or forged PayPal IPN notifications sent to the publicly accessible IPN endpoint could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should enable PayPal IPN verification by setting `disable_ipn_verification` to 'no' in the `PayPalSettings.php` file of the Fluent Forms Pro Add On Pack plugin.
This ensures that PayPal IPN notifications are properly verified, preventing unauthenticated attackers from sending forged notifications that mark unpaid form submissions as paid.
Additionally, consider updating the plugin to a version later than 6.1.17 if available, where this issue is fixed.