What the vulnerability does
01Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
Explanation of Vulnerability in Simple Terms
02Summary
Fluent Forms Pro Add On Pack versions up to 6.1.17 contain an integrity vulnerability that allows unauthenticated attackers to modify data over the network. The vulnerability requires no user interaction and affects the integrity of form submissions or stored data. Site administrators should update to a version newer than 6.1.17 to remediate this issue.
What an attacker can do
03Attacker Capabilities
Modify form data or submissions without authentication.
Potential impact on your site
04Site Impact
Form submissions or stored data can be altered by attackers without your knowledge or consent.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 27, 2026
CVE published
April 8, 2026
Record updated