CVE-2026-2428
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
Analysis
Fluent Forms Pro Add On Pack for WordPress versions up to 6.1.17 fail to verify PayPal Instant Payment Notifications by default, allowing unauthenticated attackers to forge payment confirmations and mark unpaid submissions as paid. An attacker can exploit this to trigger post-payment automation including email delivery, access grants, and digital product distribution without actual payment. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit PayPal transaction logs for suspicious IPN activity and identify potentially fraudulent submissions. Within 7 days: Disable the affected plugin if not essential to operations, or manually enable IPN verification in PayPalSettings.php by changing the `disable_ipn_verification` setting to `'no'`. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today