CVE-2026-2428

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro Add On Pack for WordPress versions through 6.1.17

Description The software contains a flaw related to insufficient verification of data authenticity. Specifically, PayPal IPN (Instant Payment Notification) verification is disabled by default, with the disable ipn verification setting defaulting to 'yes' in the PayPalSettings.php file. This allows unauthenticated attackers to send fraudulent PayPal IPN notifications to the publicly accessible IPN endpoint. Successful exploitation can mark unpaid form submissions as "paid," triggering subsequent post-payment automation, such as emails, access grants, and digital product delivery. The API endpoint involved is the publicly accessible IPN endpoint. The vulnerable parameter is the forged PayPal IPN notification data.

Recommendations Versions prior to 6.1.17 should be updated to address this issue.