CVE-2026-2428 PUBLISHED

Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

Assigner: Wordfence
Reserved: 12.02.2026 Published: 27.02.2026 Updated: 27.02.2026

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (disable_ipn_verification defaults to 'yes' in PayPalSettings.php). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 7.5

Product Status

Vendor techjewel
Product Fluent Forms Pro Add On Pack
Versions Default: unaffected
  • affected from * to 6.1.17 (incl.)

Credits

  • Prickly Cactus finder

References

Problem Types

  • CWE-345 Insufficient Verification of Data Authenticity CWE