CVE-2026-2428 HIGH

CVE-2026-2428: Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

Vendor Techjewel
Product Fluent Forms Pro Add On Pack
Weakness CWE-345
Published February 27, 2026
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

Explanation of Vulnerability in Simple Terms

02Summary

Fluent Forms Pro Add On Pack versions up to 6.1.17 contain an integrity vulnerability that allows unauthenticated attackers to modify data over the network. The vulnerability requires no user interaction and affects the integrity of form submissions or stored data. Site administrators should update to a version newer than 6.1.17 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify form data or submissions without authentication.

Potential impact on your site

04Site Impact

Form submissions or stored data can be altered by attackers without your knowledge or consent.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 27, 2026 CVE published
April 8, 2026 Record updated