CVE-2026-2428
Received Received - Intake
Insufficient Data Verification in Fluent Forms Pro Enables Payment Forgery

Publication date: 2026-02-27

Last updated on: 2026-02-27

Assigner: Wordfence

Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2428
EUVD
EUVD-2026-8986
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpfluent fluent_forms_pro_add_on_pack to 6.1.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Fluent Forms Pro Add On Pack plugin for WordPress has a vulnerability related to insufficient verification of data authenticity. Specifically, the PayPal IPN (Instant Payment Notification) verification is disabled by default, which means that unauthenticated attackers can send fake PayPal IPN notifications to the plugin's publicly accessible IPN endpoint.

Because of this, attackers can mark unpaid form submissions as "paid" and trigger automated post-payment actions such as sending emails, granting access, or delivering digital products without actual payment.

Impact Analysis

This vulnerability can allow attackers to fraudulently mark payments as completed without actually paying. As a result, you may experience unauthorized access to paid content, delivery of digital products without payment, and triggering of automated processes like emails or access grants.

This can lead to financial loss, unauthorized distribution of products or services, and potential damage to your business reputation.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the PayPal IPN verification is disabled in the Fluent Forms Pro Add On Pack plugin for WordPress. Specifically, you need to verify if the setting `disable_ipn_verification` is set to 'yes' in the `PayPalSettings.php` file.

You can search for this setting in the plugin files using commands like:

  • grep -r "disable_ipn_verification" /path/to/wordpress/wp-content/plugins/fluent-forms-pro-add-on-pack/
  • grep -r "disable_ipn_verification = 'yes'" /path/to/wordpress/wp-content/plugins/fluent-forms-pro-add-on-pack/

Additionally, monitoring network traffic for unexpected or forged PayPal IPN notifications sent to the publicly accessible IPN endpoint could help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should enable PayPal IPN verification by setting `disable_ipn_verification` to 'no' in the `PayPalSettings.php` file of the Fluent Forms Pro Add On Pack plugin.

This ensures that PayPal IPN notifications are properly verified, preventing unauthenticated attackers from sending forged notifications that mark unpaid form submissions as paid.

Additionally, consider updating the plugin to a version later than 6.1.17 if available, where this issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart